Clear all notable events in ITSI
To permanently delete indexed notable events in IT Service Intelligence (ITSI), use the CLI clean
command. This command completely deletes the data in one or all indexes or KV store collections, depending on whether you provide an <index_name>
or <collection>
argument. For more information, see How to use the clean command in the Managing Indexers and Clusters of Indexers manual.
You can only perform this procedure in the CLI, so it's not currently supported on Splunk Cloud Platform.
The clean
command doesn't work on indexer clusters unless you run it separately on each indexer.
- In the CLI, to stop Splunk Enterprise type
$SPLUNK_HOME/bin/splunk stop
- On each indexer, run the following commands to clear the indexes:
$SPLUNK_HOME/bin/splunk clean eventdata -index itsi_tracked_alerts; $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_notable_audit; $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_notable_archive; $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_grouped_alerts
- To start Splunk Enterprise type
$SPLUNK_HOME/bin/splunk start
- On a single search head, run the following commands to clear the KV store collections:
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_group_system; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_group_user; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_tag; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_comment; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_group; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_actions_queue; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_temp_batch_claimed_action_queue; $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_ticketing
Modify notable event KV store collections in ITSI | Overview of aggregation policies in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!