cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ohisa
New Member
Member since: ‎03-05-2015
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-05-2015
View All

How can I remove eventdata even if splunk restarts...

by in Installation
‎03-05-2015 07:39 AM
‎03-05-2015 07:39 AM
Splunk Version: 6.1.2 (Free Edition) OS: Mac OS X 10.10.2 How can I remove eventdata even if splunk restarts ? I tried to remove all of indexed event data, with following commands === pollux:splunk ohisa$ pwd /Applications/Splunk/var/lib/splunk pollux:splunk ohisa$ /Applications/Splunk/bin/splunk stop Stopping splunkd... Shutting down. Please wait, as this may take a few minutes. .. Stopping splunk helpers... Done. pollux:splunk ohisa$ /Applications/Splunk/bin/splunk clean eventdata -f Cleaning database _audit. Cleaning database _blocksignature. Cleaning database _internal. Cleaning database _introspection. Cleaning database _thefishbucket. Cleaning database history. Cleaning database main. Cleaning database summary. Disabled database 'splunklogger': will not clean. pollux:splunk ohisa$ ls defaultdb/ ./ ../ pollux:splunk ohisa$ The directory 'defaultdb' -- index main -- is now empty. But after "splunk start", eventdata that have deleted above are restored as 'hot_v1_7' ==== pollux:splunk ohisa$ /Applications/Splunk/bin/splunk start Splunk> Take the sh out of IT. Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... Validated: _audit _blocksignature _internal _introspection _thefishbucket history main summary Done Checking filesystem compatibility... Done Checking conf files for problems... Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done Waiting for web server at http://127.0.0.1:8000 to be available.. Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://pollux.local:8000 pollux:splunk ohisa$ ls defaultdb/ ./ ../ colddb/ datamodel_summary/ db/ thaweddb/ pollux:splunk ohisa$ ls defaultdb/db ./ ../ .bucketManifest CreationTime GlobalMetaData/ hot_v1_7/ pollux:splunk ohisa$ ls defaultdb/db/hot_v1_7/ ./ 1425593484-1425161467-1192398453668579227.tsidx bucket_info.csv ../ Hosts.data rawdata/ 1425338835-1425288071-1192398874956226696.tsidx SourceTypes.data splunk-autogen-params.dat 1425365650-1425358532-1192398817086921380.tsidx Sources.data splunk-need-optimize.dat 1425514810-1425288071-1192398824996874412.tsidx Strings.data pollux:splunk ohisa$ Thanks, -Mitz ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM