Delete data from the index
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Delete data from the index
You can run delete commands from the Splunk CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and type ./splunk followed by a Splunk CLI command. You can also add Splunk to your path and use the command line.
Delete everything
Run this command on the Splunk server host to delete all indexed data, users, and other Splunk-related data on the server:
# splunk clean all
Run this command to delete event data:
# splunk clean eventdata
Delete a subset of events
Use the delete= command either in the search bar of SplunkWeb, or from the command line on the Splunk server host:
delete=<search-terms>
Note: there are a few restrictions to the delete= command:
- You can only use one delete= modifier per command.
- You can additionally add one deleterestrict= modifier to further filter.
- You can only restrict deletion by source, sourcetype, host and time range.
- Additional search terms must come first.
For example:
splunk search "daysago=1 delete=host::10.1.1.72 deleterestrict=source::/var/log/anaconda.log"
This command will delete every event with host::10.1.1.72 from source::/var/log/anaconda.log whose timestamp is within the past day.
If you type delete= into the web interface, you'll see a typeahead list of all allowable completions for a delete= command on your data. The same is true for deleterestrict=.
The best way to use delete= is:
- Create a search that returns only the events you want to delete.
- Add
delete=in front of one of its parameters to delete the same set of events. Move thedelete=term to the leftmost end. - If you are doing a subset delete, use the
deleterestrict=command.
Note:
- if you use
delete=to remove events with a qualifying restriction (such all events from a specific host). New events that arrive may result in a miscount of events for that host/source/sourcetype. This will be addressed in a later release. Contact support for more information if you experience this problem. -
delete=does not free disk space on the index. The data still resides in the index, it simply cannot be returned in a search. If you need to recover the disk space you will need to use the command# splunk clean eventdata -
delete=does not work with wildcards (*).
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.