Knowledge Management

Remove Old Summary Index

clincg
Path Finder

Hi - does anyone know how to remove old summary index data? I have a few summary indexes saved in the system that was running the wrong query and thus indexed the wrong data. Every time I pull the data from that summary index report it will mix the wrong data into the result. We wanted to start over again, is there anyway to delete a particular summary index data or just clear that particular summary index report?

Tags (2)
1 Solution

ftk
Motivator

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

View solution in original post

ftk
Motivator

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

clincg
Path Finder

Thanks, the " | delete" actually works. Never thought of the "delete" command works for the summary index data as well.

0 Karma

hexx
Splunk Employee
Splunk Employee

You can delete the contents of the summary index by running :

$SPLUNK_HOME/bin/splunk stop

$SPLUNK_HOME/bin/splunk clean eventdata -index summary

Note that this will completely wipe that index, no events will be kept.

EDIT : The python script $SPLUNK_HOME/bin/fill_summary_index.py can be used to back-fill the summary index.

For more information about the usage of that script, see :

http://www.splunk.com/base/Documentation/4.1.4/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_b...

hexx
Splunk Employee
Splunk Employee

I stand corrected, then. Thanks, G!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Backfilling does not require much work (in 4.x and up). Splunk comes with a backfill script that can backfill any summary index (or set of them) over any period with a single command line.

Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...