Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- How can I remove eventdata even if splunk restarts...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I remove eventdata even if splunk restarts ?
Splunk Version: 6.1.2 (Free Edition)
OS: Mac OS X 10.10.2
How can I remove eventdata even if splunk restarts ?
I tried to remove all of indexed event data, with following commands
===
pollux:splunk ohisa$ pwd
/Applications/Splunk/var/lib/splunk
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..
Stopping splunk helpers...
Done.
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk clean eventdata -f
Cleaning database _audit.
Cleaning database _blocksignature.
Cleaning database _internal.
Cleaning database _introspection.
Cleaning database _thefishbucket.
Cleaning database history.
Cleaning database main.
Cleaning database summary.
Disabled database 'splunklogger': will not clean.
pollux:splunk ohisa$ ls defaultdb/
./ ../
pollux:splunk ohisa$
The directory 'defaultdb' -- index main -- is now empty. But after "splunk start", eventdata that have deleted above are restored as 'hot_v1_7'
====
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk start
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
Waiting for web server at http://127.0.0.1:8000 to be available.. Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://pollux.local:8000
pollux:splunk ohisa$ ls defaultdb/
./ ../ colddb/ datamodel_summary/ db/ thaweddb/
pollux:splunk ohisa$ ls defaultdb/db
./ ../ .bucketManifest CreationTime GlobalMetaData/ hot_v1_7/
pollux:splunk ohisa$ ls defaultdb/db/hot_v1_7/
./ 1425593484-1425161467-1192398453668579227.tsidx bucket_info.csv
../ Hosts.data rawdata/
1425338835-1425288071-1192398874956226696.tsidx SourceTypes.data splunk-autogen-params.dat
1425365650-1425358532-1192398817086921380.tsidx Sources.data splunk-need-optimize.dat
1425514810-1425288071-1192398824996874412.tsidx Strings.data
pollux:splunk ohisa$
Thanks,
-Mitz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't delete the "_thefishbucket" index. It keeps track of what has been indexed and what not. By removing it, it will index all data that specified in in inputs.
so use : ./splunk clean eventdata -index -f for all indexes except _thefishbucket
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any active inputs? What's happening here isn't that the data is getting restored. It's that new data is being indexed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
