Splunk® IT Service Intelligence

Event Analytics Manual

Splunk IT Service Intelligence (ITSI) version 4.11.x reached its End of Life on December 6, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see Before you upgrade IT Service Intelligence.

Clear all notable events in ITSI

To permanently delete indexed notable events in IT Service Intelligence (ITSI), use the CLI clean command. This command completely deletes the data in one or all indexes or KV store collections, depending on whether you provide an <index_name> or <collection> argument. For more information, see How to use the clean command in the Managing Indexers and Clusters of Indexers manual.

You can only perform this procedure in the CLI, so it's not currently supported on Splunk Cloud Platform.

The clean command doesn't work on indexer clusters unless you run it separately on each indexer.

  1. In the CLI, to stop Splunk Enterprise type $SPLUNK_HOME/bin/splunk stop
  2. On each indexer, run the following commands to clear the indexes:
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_tracked_alerts;
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_notable_audit;
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_notable_archive;
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_grouped_alerts
    
  3. To start Splunk Enterprise type $SPLUNK_HOME/bin/splunk start
  4. On a single search head, run the following commands to clear the KV store collections:
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_group_system;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_group_user;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_tag;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_comment;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_group;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_actions_queue;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_temp_batch_claimed_action_queue;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_ticketing
    
Last modified on 28 April, 2023
Modify notable event KV store collections in ITSI   Overview of aggregation policies in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters