Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

clean main index

omershira
Explorer
‎12-15-2020 01:31 AM

Hello,

My team and I installed a new UF on one of our systems.

we wanted it to send the data from the system to a specific index we made for it.

after we installed the UF it immediately started to transfer data to the main index since its the default.

then I stopped the UF and changed the inputs.conf file so it will send the data to the specific  index and it did right when I started the UF again. 

The problem is that now there is still data in the main index. the indexes in the environment are clustered so the option of "splunk clean eventdata -index main" will not work on that case...

I couldn't find anothe solution, can you please help me?

thanks,

omer shira.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2020 05:42 AM

Set frozenTimePeriodInSecs = 30 for that index and restart the indexers.  Allow a few minutes for the indexers to clean out main.  Once you see the index is empty, restore the original value and restart the indexers again.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2020 05:42 AM

Set frozenTimePeriodInSecs = 30 for that index and restart the indexers.  Allow a few minutes for the indexers to clean out main.  Once you see the index is empty, restore the original value and restart the indexers again.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

omershira
Explorer
‎12-15-2020 07:21 AM

Hi, it worked! thanks!!

Reply
Solved! Jump to solution

omershira
Explorer
‎12-15-2020 06:14 AM

Thanks!

I will give it a try and let you know!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...