Solved: Re: clean main index

omershira · ‎12-15-2020

Hello,

My team and I installed a new UF on one of our systems.

we wanted it to send the data from the system to a specific index we made for it.

after we installed the UF it immediately started to transfer data to the main index since its the default.

then I stopped the UF and changed the inputs.conf file so it will send the data to the specific index and it did right when I started the UF again.

The problem is that now there is still data in the main index. the indexes in the environment are clustered so the option of "splunk clean eventdata -index main" will not work on that case...

I couldn't find anothe solution, can you please help me?

thanks,

omer shira.

richgalloway · ‎12-15-2020

Set frozenTimePeriodInSecs = 30 for that index and restart the indexers. Allow a few minutes for the indexers to clean out main. Once you see the index is empty, restore the original value and restart the indexers again.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-15-2020

Set frozenTimePeriodInSecs = 30 for that index and restart the indexers. Allow a few minutes for the indexers to clean out main. Once you see the index is empty, restore the original value and restart the indexers again.

---
If this reply helps you, Karma would be appreciated.

omershira · ‎12-15-2020

Hi, it worked! thanks!!

omershira · ‎12-15-2020

Thanks!

I will give it a try and let you know!

clean main index

administration

configuration

using Splunk Enterprise

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio