Re: Remove future events from index

fabiolabruzzo · ‎01-13-2022

Hello,

due to a Windows systems with wrong system/date (date was set in 2034) the _internal index in my Splunk environment has this situation

There's a way to remove the future events from this index?

Thanks a lot

fabiolabruzzo · ‎01-13-2022

Thanks,

do you mean like this:

index=_internal earliest=+1d latest=+15y | delete

?

ITWhisperer · ‎01-13-2022

Yes, that's the sort of thing, however, be careful that the search returns some rows otherwise the whole index gets deleted. You can do this something like this

index=_internal earliest=+1d latest=+15y
| appendpipe [stats count as events | where events = 0 | eval gobbledygook = random()]
| delete

ITWhisperer · ‎01-13-2022

Use the delete command - you need to create a search to retrieve all the events you want to delete first, and pipe that into the delete command. Be careful, the delete command cannot be undone, so you need to ensure you are deleting the correct events from the correct index, otherwise, you may delete more than you bargained for. Best practice is to have a separate user which has the delete capability and only use that user for deleting and nothing else.

Remove future events from index

summary indexing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation