How to delete a huge number of old events from the...

matthewhaswell · ‎02-19-2013

Unfortunately our production Splunk was connected to a test system splunkforwarder by mistake and according to the Summary 9.5 million test events were uploaded into our main index.

Unfortunately every single one had the same timestamp of _time="1346149418" (Tue, 28 Aug 2012 10:23:38 GMT) so when I try to view or delete them then it fails with a red bar and a "Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time".

I understand the error from the other questions but I want to delete all these events and that host - but I can't clear the production index due to the error. All the events are the same (I think - we can't see them!) so I can't subdivide the search to less than 1,000,000.

Is there any other way to delete this host and these events?

Many thanks,

Matt

somesoni2 · ‎01-29-2014

Can you try doing this and see if it helps

index=yourindex sourcetype=yoursourcetype _time="1346149418" | head 999999 | delete

yannK · ‎02-19-2013

To selectively hide the data, check the |delete searchh command in the docs.

jalfrey · ‎01-29-2014

The delete command only works if your search runs.

How to delete a huge number of old events from the test data that has slipped in

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?