Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I remove eventdata even if splunk restarts ?

ohisa
New Member
‎03-05-2015 07:39 AM

Splunk Version: 6.1.2 (Free Edition)
OS: Mac OS X 10.10.2

How can I remove eventdata even if splunk restarts ?

I tried to remove all of indexed event data, with following commands

===
pollux:splunk ohisa$ pwd
/Applications/Splunk/var/lib/splunk
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk stop
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
..
Stopping splunk helpers...

Done.
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk clean eventdata -f
Cleaning database _audit.
Cleaning database _blocksignature.
Cleaning database _internal.
Cleaning database _introspection.
Cleaning database _thefishbucket.
Cleaning database history.
Cleaning database main.
Cleaning database summary.
Disabled database 'splunklogger': will not clean.
pollux:splunk ohisa$ ls defaultdb/
./ ../

pollux:splunk ohisa$

The directory 'defaultdb' -- index main -- is now empty. But after "splunk start", eventdata that have deleted above are restored as 'hot_v1_7'

====
pollux:splunk ohisa$ /Applications/Splunk/bin/splunk start

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done

Waiting for web server at http://127.0.0.1:8000 to be available.. Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://pollux.local:8000

pollux:splunk ohisa$ ls defaultdb/
./ ../ colddb/ datamodel_summary/ db/ thaweddb/
pollux:splunk ohisa$ ls defaultdb/db
./ ../ .bucketManifest CreationTime GlobalMetaData/ hot_v1_7/
pollux:splunk ohisa$ ls defaultdb/db/hot_v1_7/
./ 1425593484-1425161467-1192398453668579227.tsidx bucket_info.csv
../ Hosts.data rawdata/
1425338835-1425288071-1192398874956226696.tsidx SourceTypes.data splunk-autogen-params.dat
1425365650-1425358532-1192398817086921380.tsidx Sources.data splunk-need-optimize.dat
1425514810-1425288071-1192398824996874412.tsidx Strings.data

pollux:splunk ohisa$

Thanks,
-Mitz

Tags (2)
0 Karma
Reply

teunlaan
Contributor
‎03-09-2015 03:33 AM

Don't delete the "_thefishbucket" index. It keeps track of what has been indexed and what not. By removing it, it will index all data that specified in in inputs.

so use : ./splunk clean eventdata -index -f for all indexes except _thefishbucket

0 Karma
Reply

emiller42
Motivator
‎03-05-2015 08:10 AM

Do you have any active inputs? What's happening here isn't that the data is getting restored. It's that new data is being indexed.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...