How to remove events from each summary index and b...

manja054 · ‎09-26-2016

Hi,

I am new to summary indexes.

I have scenario to work with.

i have summary index searches for 1min, 5min,1hr,and a day. My 1min & 5min indexes have events from main index and 1 hr summary index is based on 5min summary index and for 1day its based on an hour summary index.

i want to remove events from each summary index mentioned above for the period of 4\5\2016 22:00 to 4\8\2016 14:43 and back fill the same using fill_summary_index.py. (My deployment server was down on that particular time)

Can anyone help me how can i achieve this without duplication of events please?

somesoni2 · ‎09-26-2016

Information on How to delete data
http://docs.splunk.com/Documentation/Splunk/6.4.3/Indexer/RemovedatafromSplunk#Delete_events_from_su...

How to backfill summary index
http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Managesummaryindexgapsandoverlaps#Use_th...

Make sure that, in both steps, you're using same time range (The time range of backfill script should be in a way that it reloads deleted data.)

How to remove events from each summary index and backfill using fill_summary_index.py for a particular time period?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to remove events from each summary index and backfill using fill_summary_index.py for a particular time period?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!