Knowledge Management

how to delete uploaded csv file

syjayaraj
Explorer

Hello Team,
I added an csv file using add data, I do not know how to delete it, could some help on this.
and where this normally sits .i.e the path e.g opt/splunk..

Tags (1)

hsesterhenn_spl
Splunk Employee
Splunk Employee

Hi,

let's summarize your options:

If you have uploaded a CSV using "Add Data" all events are copied from the CSV into an index (this is the main index by default if you don't change it). There is no thing as "stored CSV file". This file has been removed from the system after adding the events.
Using the "source=" search filter you can get all events which have been imported from this CSV.

If you want to delete a whole index use "splunk clean eventdata" on the CLI as mentioned. It will free the space on disk.

The "delete" command is only allowed for a special role as mentioned AND IT WILL NOT DELETE DATA FROM DISK!
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk#How_to_delete
Please read this explanation carefully.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

And as mentioned by Martin if you have uploaded a file to be used as a LOOKUP you have to delete it from the server itself.

HTH,
Holger

fdi01
Motivator

in CLI; go to splunk_home/bin/ use splunk clean command to do it
you can first run splunk help clean command to understand how clean command is it work

0 Karma

dkeck
Influencer

Hi,

you can also just delete the index you put the data in, assumed its the only data in this index otherwise thats not a help.

Settings->Indexes->delete
0 Karma

ngatchasandra
Builder

Hi syjayaraj,

  1. remove your csv file returns to delete the data therein. In the search bar, you can use delete operator .

To do this, your role must have the capability to do so. If you are an admin user, you must go add can_delete role because admin role don't have it by default.

After to this, run a search that returns events of your csv file like follow:

source=   (name_of_your_file.csv)  OR (Path/../ name_of_your_file.csv)|delete

This will remonve all data in your csv file

For more Explanation follow the link:

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk#Delete_events_from_f...

  1. I think that to see where your csv file is located, go to opt/Splunk/var/lib/splunk/defaultdb/db/hot_v1_0/rawdata if you use default index to index your file.

Note: hot_v1_0 is newsly created directory.

follow opt/Splunk/var/lib/splunk/your_index_nama/db/hot_v1_0/rawdata for for your particular index.

hsesterhenn_spl
Splunk Employee
Splunk Employee

Please do not remove files from the bucket if you are not familiar with Splunk internal details.

If you want to delete data use the official commands (Splunk clean on the CLI) or delete the whole index.

Holger

martin_mueller
SplunkTrust
SplunkTrust

You've probably uploaded a lookup .csv file, those sit in $SPLUNK_HOME/etc/apps/your_app/lookups or $SPLUNK_HOME/etc/system/lookups.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...