Remove (delete) data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Remove (delete) data
Use Splunk's tools to remove various types of data from your Splunk installation. With Splunk's tools, you can remove:
- Event data from an index.
- User account data (all of your created user accounts).
- Events from searches.
Note: You must have admin privileges to remove data.
You have two options when removing data from Splunk:
- Use the
cleancommand in the CLI to completely remove data (event and user data) from the index. Typically, you do this before re-indexing all your data. Note: You must shut down splunkd to delete data in this manner. - Use the
delete::modifier to specify that certain events not appear in search results. Becausedelete::is slower than clean, use it only if you wish to re-index a small subset of your data sources--perhaps you want to reconfigure time stamp recognition for a single data source before re-indexing it. For example, delete events from the source "foo" (delete::source::foo) if you wish to re-index the source "foo".
Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).
Important: The CLI delete modifier was inadvertently disabled in versions 3.3.3 and 3.3.4 of Splunk, and was reinstated in version 3.4. If you are running version 3.3.3 or 3.3.4, you can reinstate it by hand. To reinstate it, add the following XML snippet after the domain finder module (at around line 364) in $SPLUNK_HOME/etc/searchLanguage.xml:
<module>
<name>delete</name>
<requiredArgs>
<arg>delete</arg>
</requiredArgs>
<optionalArgs>
<arg>deleterestrict</arg>
</optionalArgs>
<defaults>
<delete>typeahead_suppress</delete>
<deleterestrict>typeahead_suppress</deleterestrict>
</defaults>
</module>
Then, restart Splunk.
The CLI command: clean
The clean CLI command deletes event data and user account data from your Splunk installation. clean takes the following arguments: eventdata, userdata, and all.
Add the -f parameter to force clean to skip its confirmation prompts.
Note: From the Splunk CLI, type ./splunk help clean to access the help page for clean.
Remove event data from an index
Permanently remove event data from an index on your Splunk installation by typing ./splunk clean followed by the eventdata argument. Specify an index to delete event data from a specific index. If you don't specify an index, Splunk deletes all event data from all indexes.
Examples
Note: You must first stop Splunk before you can run any of these commands:
./splunk stop
This example tells Splunk to remove event data in all indexes (because no index argument is specified).
./splunk clean eventdata
This example removes indexed event data from the internal index and forces Splunk to skip the confirmation prompt.
./splunk clean eventdata internal -f
Remove user data
Remove user data (user accounts you've created) from your Splunk installation by typing ./splunk clean followed by the userdata argument.
Examples
This example removes all of the user accounts you've created.
./splunk clean userdata
This example removes the user accounts you've created and forces Splunk to skip the confirmation prompt.
./splunk clean userdata -f
Remove all data
Remove all user and indexed event data to return Splunk to its original installation state by typing ./splunk clean followed by the all argument.
Examples
This example removes all user and indexed event data.
./splunk clean all
This example removes all user and indexed event data you've created and forces Splunk to skip the confirmation prompt.
./splunk clean all -f
Remove events from search results
This ONLY works in the CLI.
Use the delete:: modifier to remove events from your index based on an indexed field value, or by matching a string. Access the delete:: modifier by using the oldsearch command in a CLI search.
The delete:: modifier doesn't delete events from the index; it masks events from being displayed in search results by flagging them with a value that makes them unsearchable.
Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).
Note: oldsearch is the deprecated version of the search command that you need to use to access the delete:: modifier.
Syntax
In the CLI:
./splunk search ' | oldsearch delete::(host | source | sourcetype)::value '
- Enter all fields and values in lowercase.
- You can remove events based on values of any indexed field.
- You can also remove events that match a string (
delete::<string>) instead of matching a field::value pair. The strings can't contain any spaces or commas, and you can't specify multiple strings in a single argument.
Note: You need to authenticate when using oldsearch delete::xxx. Use the -auth search parameter.
Examples
This example removes events of sourcetype=bar from the search results.
./splunk search ' | oldsearch delete::sourcetype::bar' -auth admin:changme
This example removes events from the host "webserver1".
./splunk search ' | oldsearch delete::host::websever1' -auth admin:changeme
NB: On Windows machines, use double-quotes (") instead of single-quotes (').
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.