What are different ways of clearing an index autom...

athorat · ‎08-12-2015

We want to clear the index on the last day of the month and load the index with new data on the first of every month.
What would be different ways to clear the index automatically on the last day of the month?

woodcock · ‎08-12-2015

If you have a 3 node index cluster in prod and you create a report that ends with the delete option and schedule the job to run on the last day, it will definitely delete all copies of the data and it will not appear in any search results after that.

somesoni2 · ‎08-12-2015

Below link from the Splunk document describes various ways a data for index can be removed.

http://docs.splunk.com/Documentation/Splunk/6.2.4/Indexer/RemovedatafromSplunk#Remove_data_from_one_....

The best one is "clean" command from Splunk CLI as it can be automated. Note that it doesn't work in clustered environment.

For scheduling to last day of month, there is no direct cron available in SPlunk to do that but you can run a search daily, check if the current date is last day of month, if yes then as an alert action run your script for cleanup indexed data.

athorat · ‎08-12-2015

We have a 3 node index cluster in prod and this will eventually be moved to prod.
by creating a report with delete option and scheduling the job to run on the last day, will that work in a cluster?

What are different ways of clearing an index automatically on the last day of the month?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!