So typically, the best practice is to create a new index for testing, then delete the testing index when you are done. This gets rid of all data sent to the index, and everything is clean. The delete command on the other hand is actually only a logical deletion, the data is still on disk (subject to the index's retention policy) but will never be retrieved in a Splunk search. To use it you will need to give your user (even if that's the admin user) the built in "can_delete" role. Once that's done then the delete command will work as expected. And you can then remove the capability again (It's risky to leave that capability on as even though the data is still on disk the only self-service supported way of making it visible again involves re-indexing removed data.