Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index duplication

code_nomad
New Member
‎11-02-2012 04:14 AM

is there any way to delete/remove indexed data for a particular time range ? thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎11-02-2012 04:36 AM

You can filter you indexes to the events you wish to remove in the standard Splunk search view (i.e. flashtimeline). For example:

 <your filtering search> | delete

As this is "risky", the user will need to be assigned the "can_delete" role.

If it is in specific indexes, and you wish to remove that WHOLE index, you can use the CLI tool, "clean", to delete data from that Index. For example

./splunk clean eventdata ...

These methods should be used with extreme caution as the effects can not be reversed. I would recommend reviewing your filtering search carefully, and also reading the documenatation on this subject first... it should not be taken lightly.

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎11-02-2012 04:36 AM

You can filter you indexes to the events you wish to remove in the standard Splunk search view (i.e. flashtimeline). For example:

 <your filtering search> | delete

As this is "risky", the user will need to be assigned the "can_delete" role.

If it is in specific indexes, and you wish to remove that WHOLE index, you can use the CLI tool, "clean", to delete data from that Index. For example

./splunk clean eventdata ...

These methods should be used with extreme caution as the effects can not be reversed. I would recommend reviewing your filtering search carefully, and also reading the documenatation on this subject first... it should not be taken lightly.

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk

0 Karma
Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎12-27-2012 01:59 PM

(i accepted your answer, mhibbin :))

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎11-02-2012 05:19 AM

... it's the empty tick next to the answer

Reply
Solved! Jump to solution

MHibbin
Influencer
‎11-02-2012 05:18 AM

no problem... if this answers your question, can you please mark it as accepted to "close" it off.

Reply
Solved! Jump to solution

code_nomad
New Member
‎11-02-2012 05:09 AM

thank you !!

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...