Splunk® IT Service Intelligence

Event Analytics Manual

Download manual as PDF

Download topic as PDF

Clear all notable events in ITSI

To permanently delete indexed notable events in IT Service Intelligence (ITSI), use the CLI clean command. This command completely deletes the data in one or all indexes or KV store collections, depending on whether you provide an <index_name> or <collection> argument. For more information, see How to use the clean command in the Managing Indexers and Clusters of Indexers manual.

You can only perform this procedure in the CLI, so it's not currently supported on Splunk Cloud.

The clean command doesn't work on indexer clusters unless you run it separately on each indexer.

  1. In the CLI, to stop Splunk Enterprise type $SPLUNK_HOME/bin/splunk stop
  2. On each indexer, run the following commands to clear the indexes:
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_tracked_alerts;
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_notable_audit;
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_notable_archive;
    $SPLUNK_HOME/bin/splunk clean eventdata -index itsi_grouped_alerts
    
  3. On a single search head, run the following commands to clear the KV store collections:
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_group_system;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_group_user;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_tag;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_comment;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_group;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_actions_queue;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_temp_batch_claimed_action_queue;
    $SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA -collection itsi_notable_event_ticketing
    
  4. To start Splunk Enterprise type $SPLUNK_HOME/bin/splunk start
Last modified on 26 August, 2020
PREVIOUS
Trim down notable event KV store collections in ITSI
  NEXT
Overview of aggregation policies in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters