Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Remove future events from index

fabiolabruzzo
Explorer
‎01-13-2022 06:33 AM

Hello,

due to a Windows systems with wrong system/date (date was set in 2034) the _internal index in my Splunk environment has this situation

fabiolabruzzo_0-1642084242473.png

There's a way to remove the future events from this index?

 

Thanks a lot

 

Labels (1)
Labels
0 Karma
Reply

fabiolabruzzo
Explorer
‎01-13-2022 07:12 AM

Thanks,

do you mean like this:

 

index=_internal earliest=+1d latest=+15y | delete

?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2022 08:10 AM

Yes, that's the sort of thing, however, be careful that the search returns some rows otherwise the whole index gets deleted. You can do this something like this

index=_internal earliest=+1d latest=+15y
| appendpipe [stats count as events | where events = 0 | eval gobbledygook = random()]
| delete
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-13-2022 06:39 AM

Use the delete command - you need to create a search to retrieve all the events you want to delete first, and pipe that into the delete command. Be careful, the delete command cannot be undone, so you need to ensure you are deleting the correct events from the correct index, otherwise, you may delete more than you bargained for. Best practice is to have a separate user which has the delete capability and only use that user for deleting and nothing else.

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...