Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove incorrectly timestamped events from index?

splunkIT
Splunk Employee
Splunk Employee
‎11-08-2012 10:08 AM

Got some indexed events that were incorrectly timestamped, like set to 20 years into the feature, and would like to know if the DELETE command would help in removing these bad events from the index.

Concern with these bad events, if not removed:
1. bucket will not roll to frozen/archiving. Currently, the frozen policy is 1-year.
2. performance impact, by having these events around

Tags (1)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2012 10:30 AM

The delete command will not remove data from the index properly, it will just exclude the events from future searches.

To avoid these wildly wrong timestamps from getting into your index you could look at reducing your MAX_DAYS_HENCE setting in props.conf, by default it's just a couple of days. Anything much larger rarely makes sense.

As for rolling the affected bucket to frozen, it might indeed not roll it on its own because it contains extremely new events far from the future. You could manually roll the bucket though, once you're certain the other correctly timestamped events are due for a freeze.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-09-2012 03:11 PM

Warm and cold buckets' directory names contain the newest and oldest event timestamp in the bucket - in your very specific case of events indexed 20 years into the future that's enough to find the buckets containing badly timestamped events.

Another lazy way would be to wait a year for the natural roll to frozen, and pick out those that should have rolled but didn't.

0 Karma
Reply

splunkIT
Splunk Employee
Splunk Employee
‎11-09-2012 10:38 AM

Is there a way to determine which buckets are affected by the bad events?

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...

Insights from .conf 2025, Smart Edge Processor Scaling, and a New Splunk Lantern ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...