Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to delete uploaded csv file

syjayaraj
Explorer
‎02-20-2016 09:56 AM

Hello Team,
I added an csv file using add data, I do not know how to delete it, could some help on this.
and where this normally sits .i.e the path e.g opt/splunk..

Tags (1)
Reply

hsesterhenn_spl
Splunk Employee
Splunk Employee
‎02-25-2016 09:53 AM

Hi,

let's summarize your options:

If you have uploaded a CSV using "Add Data" all events are copied from the CSV into an index (this is the main index by default if you don't change it). There is no thing as "stored CSV file". This file has been removed from the system after adding the events.
Using the "source=" search filter you can get all events which have been imported from this CSV.

If you want to delete a whole index use "splunk clean eventdata" on the CLI as mentioned. It will free the space on disk.

The "delete" command is only allowed for a special role as mentioned AND IT WILL NOT DELETE DATA FROM DISK!
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk#How_to_delete
Please read this explanation carefully.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

And as mentioned by Martin if you have uploaded a file to be used as a LOOKUP you have to delete it from the server itself.

HTH,
Holger

Reply

fdi01
Motivator
‎02-23-2016 04:47 AM

in CLI; go to splunk_home/bin/ use splunk clean command to do it
you can first run splunk help clean command to understand how clean command is it work

0 Karma
Reply

dkeck
Influencer
‎02-23-2016 02:54 AM

Hi,

you can also just delete the index you put the data in, assumed its the only data in this index otherwise thats not a help.

Settings->Indexes->delete
0 Karma
Reply

ngatchasandra
Builder
‎02-23-2016 01:44 AM

Hi syjayaraj,

  1. remove your csv file returns to delete the data therein. In the search bar, you can use delete operator .

To do this, your role must have the capability to do so. If you are an admin user, you must go add can_delete role because admin role don't have it by default.

After to this, run a search that returns events of your csv file like follow:

source=   (name_of_your_file.csv)  OR (Path/../ name_of_your_file.csv)|delete

This will remonve all data in your csv file

For more Explanation follow the link:

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk#Delete_events_from_f...

  1. I think that to see where your csv file is located, go to opt/Splunk/var/lib/splunk/defaultdb/db/hot_v1_0/rawdata if you use default index to index your file.

Note: hot_v1_0 is newsly created directory.

follow opt/Splunk/var/lib/splunk/your_index_nama/db/hot_v1_0/rawdata for for your particular index.

Reply

hsesterhenn_spl
Splunk Employee
Splunk Employee
‎02-25-2016 09:44 AM

Please do not remove files from the bucket if you are not familiar with Splunk internal details.

If you want to delete data use the official commands (Splunk clean on the CLI) or delete the whole index.

Holger

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2016 12:33 PM

You've probably uploaded a lookup .csv file, those sit in $SPLUNK_HOME/etc/apps/your_app/lookups or $SPLUNK_HOME/etc/system/lookups.

Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...