Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to delete a huge number of old events from the test data that has slipped in

matthewhaswell
Path Finder
‎02-19-2013 08:47 AM

Unfortunately our production Splunk was connected to a test system splunkforwarder by mistake and according to the Summary 9.5 million test events were uploaded into our main index.

Unfortunately every single one had the same timestamp of _time="1346149418" (Tue, 28 Aug 2012 10:23:38 GMT) so when I try to view or delete them then it fails with a red bar and a "Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time".

I understand the error from the other questions but I want to delete all these events and that host - but I can't clear the production index due to the error. All the events are the same (I think - we can't see them!) so I can't subdivide the search to less than 1,000,000.

Is there any other way to delete this host and these events?

Many thanks,

Matt

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-29-2014 04:04 PM

Can you try doing this and see if it helps

index=yourindex sourcetype=yoursourcetype _time="1346149418" | head 999999 | delete

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-19-2013 09:24 AM

To selectively hide the data, check the |delete searchh command in the docs.

0 Karma
Reply

jalfrey
Communicator
‎01-29-2014 11:17 AM

The delete command only works if your search runs.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...