Getting Data In

How to delete a host and all its data from Splunk so it no longer appears in the Data Summary?


I have a Windows server with the Universal Forwarder installed for testing.

I now want to remove that host and all data it has fed into Splunk, from Splunk.

I've uninstalled the forwarder, but I don't see how to remove it from Splunk itself - the old events are still there and it still shows on the "Data Summary" panel.

I tried hostname | delete from Splunk Web logged in as "admin" and it simply says I don't have rights which seems a bit odd logged in directly as "admin".

Thanks 🙂


So typically, the best practice is to create a new index for testing, then delete the testing index when you are done. This gets rid of all data sent to the index, and everything is clean. The delete command on the other hand is actually only a logical deletion, the data is still on disk (subject to the index's retention policy) but will never be retrieved in a Splunk search. To use it you will need to give your user (even if that's the admin user) the built in "can_delete" role. Once that's done then the delete command will work as expected. And you can then remove the capability again (It's risky to leave that capability on as even though the data is still on disk the only self-service supported way of making it visible again involves re-indexing removed data.

There are a few other nuclear options to removing data from Splunk discussed here:


Thanks, the data is minimal, I simply don't want to client to show up in things like the "Data Summary" pane on the search dashboard - is that doable?

0 Karma


@hutchingsp I am looking for the same thing did you achieve the requirement pls update!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!