Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove Old Summary Index

clincg
Path Finder
‎08-03-2010 09:29 PM

Hi - does anyone know how to remove old summary index data? I have a few summary indexes saved in the system that was running the wrong query and thus indexed the wrong data. Every time I pull the data from that summary index report it will mix the wrong data into the result. We wanted to start over again, is there anyway to delete a particular summary index data or just clear that particular summary index report?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

Reply
Solved! Jump to solution

clincg
Path Finder
‎08-04-2010 10:19 PM

Thanks, the " | delete" actually works. Never thought of the "delete" command works for the summary index data as well.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-03-2010 10:40 PM

You can delete the contents of the summary index by running :

$SPLUNK_HOME/bin/splunk stop

$SPLUNK_HOME/bin/splunk clean eventdata -index summary

Note that this will completely wipe that index, no events will be kept.

EDIT : The python script $SPLUNK_HOME/bin/fill_summary_index.py can be used to back-fill the summary index.

For more information about the usage of that script, see :

http://www.splunk.com/base/Documentation/4.1.4/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_b...

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-04-2010 09:39 PM

I stand corrected, then. Thanks, G!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-04-2010 06:09 PM

Backfilling does not require much work (in 4.x and up). Splunk comes with a backfill script that can backfill any summary index (or set of them) over any period with a single command line.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...