Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove Old Summary Index

clincg
Path Finder
‎08-03-2010 09:29 PM

Hi - does anyone know how to remove old summary index data? I have a few summary indexes saved in the system that was running the wrong query and thus indexed the wrong data. Every time I pull the data from that summary index report it will mix the wrong data into the result. We wanted to start over again, is there anyway to delete a particular summary index data or just clear that particular summary index report?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

Reply
Solved! Jump to solution

clincg
Path Finder
‎08-04-2010 10:19 PM

Thanks, the " | delete" actually works. Never thought of the "delete" command works for the summary index data as well.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-03-2010 10:40 PM

You can delete the contents of the summary index by running :

$SPLUNK_HOME/bin/splunk stop

$SPLUNK_HOME/bin/splunk clean eventdata -index summary

Note that this will completely wipe that index, no events will be kept.

EDIT : The python script $SPLUNK_HOME/bin/fill_summary_index.py can be used to back-fill the summary index.

For more information about the usage of that script, see :

http://www.splunk.com/base/Documentation/4.1.4/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_b...

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-04-2010 09:39 PM

I stand corrected, then. Thanks, G!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-04-2010 06:09 PM

Backfilling does not require much work (in 4.x and up). Splunk comes with a backfill script that can backfill any summary index (or set of them) over any period with a single command line.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...