Re: Remove future events from index

fabiolabruzzo · ‎01-13-2022

Hello,

due to a Windows systems with wrong system/date (date was set in 2034) the _internal index in my Splunk environment has this situation

There's a way to remove the future events from this index?

Thanks a lot

fabiolabruzzo · ‎01-13-2022

Thanks,

do you mean like this:

index=_internal earliest=+1d latest=+15y | delete

?

ITWhisperer · ‎01-13-2022

Yes, that's the sort of thing, however, be careful that the search returns some rows otherwise the whole index gets deleted. You can do this something like this

index=_internal earliest=+1d latest=+15y
| appendpipe [stats count as events | where events = 0 | eval gobbledygook = random()]
| delete

ITWhisperer · ‎01-13-2022

Use the delete command - you need to create a search to retrieve all the events you want to delete first, and pipe that into the delete command. Be careful, the delete command cannot be undone, so you need to ensure you are deleting the correct events from the correct index, otherwise, you may delete more than you bargained for. Best practice is to have a separate user which has the delete capability and only use that user for deleting and nothing else.

Remove future events from index

summary indexing

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?