Remove indexed data from Splunk
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Remove indexed data from Splunk
Splunk provides a special operator, delete. Before using the delete operator, read this section carefully.
Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).
Who can delete?
The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
For more information, refer to "Add users and assign roles" in this manual.
Note: If you are running Splunk Free, there is no restriction; there is no user/role mapping so any user of Splunk can use the delete operator.
Note: If you use LDAP groups for auth, define an LDAP group that has the "can_delete" capability and add the user to that group. Then, in Manager, reload auth to sync this change to Splunk. This will disconnect all currently authenticated sessions.
How to delete
To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events.
For example, if you want to remove the events you've already indexed from a source called /fflanda/incoming/cheese.log you have disabled/removed from showing up in any future searches, do the following:
First, search for that source:
source="/fflanda/incoming/cheese.log"Once you've confirmed that this is the data you want to delete, pipe that search to delete:
source="/fflanda/incoming/cheese.log" | delete See the page about the delete operator in the Search Reference Manual for more examples.
Piping a search to the delete operator marks all the events returned by that search so that they are never returned by any future search. No user (even with admin permissions) will be able to see this data when searching with Splunk.
Currently, piping to delete does not reclaim disk space, but Splunk will be delivering a utility in a future release that reclaims the disk space--this will go through and permanently remove all the events marked by the delete operator.
Note: it may take several minutes for the All indexed data dashboard to reflect the removal of the deleted hosts/sources/sourcetypes. This is expected behavior, as Splunk must remove the metadata references from all buckets within the index and then rebuild the metadata manifest.
Delete event data from the CLI with the 'clean' command
To completely delete event data from your disk, use the clean command in the CLI to completely remove data from the index. Typically, you do this before re-indexing all your data.
Add the -f parameter to force clean to skip its confirmation prompts.
From the Splunk CLI, type ./splunk help clean to access the help page for clean.
Permanently remove event data from an index on your Splunk installation by typing ./splunk clean followed by the eventdata argument. Specify an index to delete event data from a specific index. If you don't specify an index, Splunk deletes all event data from all indexes.
Examples
Note: You must first stop Splunk before you can run any of these commands:
./splunk stop
This example tells Splunk to remove event data in all indexes (because no index argument is specified).
./splunk clean eventdata
This example removes indexed event data from the _internal index and forces Splunk to skip the confirmation prompt.
./splunk clean eventdata -index _internal -f
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.