Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

clean eventdata with wildcard

jedatt01
Builder
‎06-25-2014 06:15 AM

I have about 100 indexes that all start with the same prefix EnLog_ and I want to clean the data in all of them. Is there a way at the command line to use a wildcard to clear them all at once (ex. clean eventdata EnLog_*)?

Tags (3)
0 Karma
Reply

lguinn2
Legend
‎06-25-2014 06:01 PM

You could do this in bash:

for index in `find  /opt/splunk/var/lib/splunk -type d  -name "EngLog_*"`
do
  /opt/splunk/bin/splunk clean eventdata -index $index -f
done

Just be careful and try the find command outside of the script first!

There are a few directories that are not actual indexes, within that base directory. While they don't start with EngLog_*, I figure that other people may look at this answer as a pattern...

0 Karma
Reply

jedatt01
Builder
‎06-25-2014 10:28 AM

Guess that will work. Was hoping there was a more simple way

0 Karma
Reply

somesoni2
Revered Legend
‎06-25-2014 06:25 AM

Doesn't seem like it accepts wildcard (splunk clean eventdata -index ). One workaround could be to get the list of indexes in excel, generate clean eventdata command for all and then put all those command in shell/batch script.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...