Ok, this is massively frustrating. I downloaded Splunk and installed it on my computer. I ran through the tutorials just to get a feel for how the thing worked. To start, I just indexed some of the logs on my local machine. Now I want to get rid of those sources... and I mean I want them GONE. I want the data gone, I want my disk space back, and I don't want the source to show up in the list on the search page. This REALLY shouldn't be so hard... why in the world isn't this as simple as adding data?
You can't delete the sources itself. If you want to delete the data in your indexes, please use the below command
Go to -> splunk//bin folder
splunk clean eventdata. Your data will be cleaned from the indexes.
Thanks for the link, but I think I'm going to have a hard time explaining to management that we can't clean the dashboard and make it readable, or reclaim our disk space.
If anyone from Splunk hangs out on this board, I'd love to hear the reasoning behind this "feature" so that I can try to make a case...
Using the delete command will remove the sources from showing up in the search without removing all of the data from the main index. This should cleanup the dashboard.
For the future setup a test index that will allow you to test new inputs and use as a sandbox, this way you have an index you can use the clean command on without affecting the other indexes.