Splunk IT Service Intelligence

What's a safe way to clear all ITSI notable events?

paulstout
Path Finder

I am testing throttling/suppression on ITSI and would like to clear out the notables generated so far. Is this as simple as clearing them from index=itsi_tracked_alerts, or are there other cleanup tasks I should complete as well? If there's a published method I'm happy to read up on it myself, and thank you!

esnyder_splunk
Splunk Employee
Splunk Employee
0 Karma

dmahler99
Explorer

to completely refresh and clean notable events , you can do the following (try this in test first, not prod) :

How to wipe all events from indexes and kvstores and start over

$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk clean eventdata -index itsi_tracked_alerts;
$SPLUNK_HOME/bin/splunk clean eventdata -index itsi_grouped_alerts;
$SPLUNK_HOME/bin/splunk start

$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_group
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_state
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_tag
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_comment
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_ticketing

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!