Remove indexed data from Splunk

Remove indexed data from Splunk

You can remove data from indexes in two ways:

• Delete events from future searches with the delete operator.
• Remove all data from one or more indexes with the CLI clean command.

Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk indexes. If you want to get your data back, you must re-index the applicable data source(s).

Delete data from future searches with the "delete" operator

Splunk provides the special operator delete to delete data from future searches. Before using the delete operator, read this section carefully.

Who can delete?

The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.

For more information, refer to "Add and edit roles" in this manual.

How to delete

To use the delete operator, run a search that returns the events you want deleted. Make sure that this search returns ONLY events you want to delete, and no other events.

For example, if you want to remove the events you've indexed from a source called /fflanda/incoming/cheese.log so that they no longer appear in searches, do the following:

1. Disable or remove that source so that it no longer gets indexed.

2. Search for events from that source in your index:

3. Look at the results to confirm that this is the data you want to delete.

4. Once you've confirmed that this is the data you want to delete, pipe the search to delete:

See the page about the delete operator in the Search Reference Manual for more examples.

Piping a search to the delete operator marks all the events returned by that search so that future searches do not return them. No user (even with admin permissions) will be able to see this data when searching with Splunk.

Note: Piping to delete does not reclaim disk space.

The delete operator also does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts, or sourcetypes.

Remove data from indexes with the CLI clean command

To delete index data permanently from your disk, use the CLI clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an <index_name> argument. Typically, you run clean before re-indexing all your data.

Note: The CLI clean command is available in all versions of Splunk, including versions for Windows. When issuing CLI commands in Splunk for Windows, simply substitute the forward slashes you see in the examples shown below (/) with backslashes (\).

How to use the "clean" command

Here are the main ways to use the clean command:

• To access the help page for clean, type:

      ./splunk help clean

• To permanently remove event data from all indexes, type:

      ./splunk clean eventdata

• To permanently remove event data from a single index, type:

      ./splunk clean eventdata -index <index_name>

      where <index_name> is the name of the targeted index. 

• Add the -f parameter to force clean to skip its confirmation prompts.

Examples

Note: You must stop Splunk before you run the clean command:

./splunk stop

This example removes event data from all indexes:

./splunk clean eventdata 

This example removes event data from the _internal index and forces Splunk to skip the confirmation prompt:

./splunk clean eventdata _internal -f

• Was this topic useful?
• Post a comment