What's a safe way to clear all ITSI notable events...

paulstout · ‎02-07-2017

I am testing throttling/suppression on ITSI and would like to clear out the notables generated so far. Is this as simple as clearing them from index=itsi_tracked_alerts, or are there other cleanup tasks I should complete as well? If there's a published method I'm happy to read up on it myself, and thank you!

esnyder_splunk · ‎05-10-2018

This is also documented in the ITSI user manual: http://docs.splunk.com/Documentation/ITSI/3.1.0/User/Managenotableeventindexes#Clear_all_notable_eve...

dmahler99 · ‎10-09-2017

to completely refresh and clean notable events , you can do the following (try this in test first, not prod) :

How to wipe all events from indexes and kvstores and start over

$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk clean eventdata -index itsi_tracked_alerts;
$SPLUNK_HOME/bin/splunk clean eventdata -index itsi_grouped_alerts;
$SPLUNK_HOME/bin/splunk start

$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_group
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_state
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_tag
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_comment
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_ticketing

What's a safe way to clear all ITSI notable events?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...