Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove Old Summary Index

clincg
Path Finder
‎08-03-2010 09:29 PM

Hi - does anyone know how to remove old summary index data? I have a few summary indexes saved in the system that was running the wrong query and thus indexed the wrong data. Every time I pull the data from that summary index report it will mix the wrong data into the result. We wanted to start over again, is there anyway to delete a particular summary index data or just clear that particular summary index report?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

Reply
Solved! Jump to solution

clincg
Path Finder
‎08-04-2010 10:19 PM

Thanks, the " | delete" actually works. Never thought of the "delete" command works for the summary index data as well.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-03-2010 10:40 PM

You can delete the contents of the summary index by running :

$SPLUNK_HOME/bin/splunk stop

$SPLUNK_HOME/bin/splunk clean eventdata -index summary

Note that this will completely wipe that index, no events will be kept.

EDIT : The python script $SPLUNK_HOME/bin/fill_summary_index.py can be used to back-fill the summary index.

For more information about the usage of that script, see :

http://www.splunk.com/base/Documentation/4.1.4/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_b...

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-04-2010 09:39 PM

I stand corrected, then. Thanks, G!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-04-2010 06:09 PM

Backfilling does not require much work (in 4.x and up). Splunk comes with a backfill script that can backfill any summary index (or set of them) over any period with a single command line.

Reply
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...