Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Remove indexes and indexed data

You can remove indexed data or even entire indexes from the indexer. These are the main options:

  • Delete events from subsequent searches.
  • Remove all data from one or more indexes.
  • Remove or disable an entire index.
  • Delete older data, based on a retirement policy.

Caution: Removing data is irreversible. If you want to get your data back once you've removed data using any of the techniques described in this topic, you must re-index the applicable data sources.

Delete events from subsequent searches

The Splunk search language provides the special command delete to delete event data from subsequent searches. Before using delete , read this section carefully.

Note: You cannot run the delete command during a real-time search; you cannot delete events as they come in. If you try to use delete during a real-time search, Splunk Enterprise will display an error.

Who can delete?

The delete command can only be run by a user with the "delete_by_keyword" capability. By default, Splunk Enterprise ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. It's recommended that you create a special user that you log into when you intend to delete index data.

For more information, refer to Add and edit roles in Securing Splunk Enterprise.

How to delete

First run a search that returns the events you want deleted. Make sure that this search returns only the events you want to delete, and no other events. Once you're certain of that, you can pipe the results of the search to the delete command.

For example, if you want to remove the events you've indexed from a source called /fflanda/incoming/cheese.log so that they no longer appear in searches, do the following:

1. Disable or remove that source so that it no longer gets indexed.

2. Search for events from that source in your index:

source="/fflanda/incoming/cheese.log"

3. Look at the results to confirm that this is the data you want to delete.

4. Once you've confirmed that this is the data you want to delete, pipe the search to delete:

source="/fflanda/incoming/cheese.log" | delete

See the page about the delete command in the Search Reference Manual for more examples.

Note: When running Splunk on Windows, substitute the forward slashes (/) in the examples with backslashes (\).

Piping a search to the delete command marks all the events returned by that search so that subsequent searches do not return them. No user (even with admin permissions) will be able to see this data when searching.

Note: Piping to delete does not reclaim disk space. The data is not actually removed from the index; it is just invisible to searches.

The delete command does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts, or sourcetypes.

The delete operation and indexer clusters

In the normal course of index replication, the effects of a delete operation get quickly propagated across all bucket copies in the cluster, typically within a few seconds or minutes, depending on the cluster load and amount of data and buckets affected by the delete operation. During this propagation interval, a search can return results that have already been deleted.

Also, if a peer that had primary bucket copies at the time of the delete operation goes down before all the results have been propagated, some of the deletes will be lost. In that case, you must rerun the operation after the primary copies from the downed peer have been reassigned.

Remove data from one or all indexes

To delete indexed data permanently from your disk, use the CLI clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an <index_name> argument. Typically, you run clean before re-indexing all your data.

Note: The clean command does not work on clustered indexes.

How to use the clean command

Here are the main ways to use the clean command:

  • To access the help page for clean, type:
splunk help clean
  • To permanently remove event data from all indexes, type:
splunk clean eventdata
  • To permanently remove event data from a single index, type:
splunk clean eventdata -index <index_name>

where <index_name> is the name of the targeted index.

  • Add the -f parameter to force clean to skip its confirmation prompts.

Important: You must stop the indexer before you run the clean command.

Note: In pre-5.0 versions of Splunk Enterprise, running the clean command caused the indexer to reset the next bucket ID value for the index to 0. Starting with version 5.0, this is no longer the case. So, if the latest bucket ID was 3, after you run clean, the next bucket ID will be 4, not 0. For more information on bucket naming conventions and the bucket ID, see What the index directories look like.

Examples

This example removes event data from all indexes: 

splunk stop
splunk clean eventdata

This example removes event data from the _internal index and forces Splunk to skip the confirmation prompt: 

splunk stop
splunk clean eventdata -index _internal -f

Remove an index entirely

To remove an index entirely (and not just the data contained in it), use the CLI command remove index: 

splunk remove index <index_name>

This command deletes the index's data directories and removes the index's stanza from indexes.conf.

Before running the command, look through all inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you plan to delete. In other words, if you want to delete an index called "nogood", make sure the following attribute/value pair does not appear in any of your input stanzas: index=nogood. Once the index has been deleted, the indexer will discard any data still being sent to that index.

When you run remove index, it first warns you if any of the inputs on the indexer (but not on any forwarders) are still configured to send data to the specified index. You'll see a message like this: 

03-28-2012 23:59:22.973 -0700 WARN  IndexAdminHandler - Events from the following 3 inputs will now be discarded, since they had targeted index=zzz:
03-28-2012 23:59:22.973 -0700 WARN  IndexAdminHandler - type: monitor, id: /home/v/syslog-avg-1000-lines
03-28-2012 23:59:22.973 -0700 WARN  IndexAdminHandler - type: monitor, id: /mnt/kickstart/internal/fermi
03-28-2012 23:59:22.973 -0700 WARN  IndexAdminHandler - type: monitor, id: /mnt/kickstart/internal/flights

You can run remove index while splunkd is running. You do not need to restart splunkd after the command completes.

The index deletion process is ordinarily fast, but the duration depends on several factors:

  • The amount of data being deleted.
  • Whether you are currently performing heavy writes to other indexes on the same disk.
  • Whether you have a large number of small .tsidx files in the index you're deleting.

Disable an index without deleting it

Use the disable index CLI command to disable an index without deleting it: 

splunk disable index <index_name>

Unlike the remove index command, disable index does not delete index data, and it is reversible (with the enable index command). However, once an index is disabled, splunkd will no longer accept data targeted at it.

You can also disable an index in Splunk Web. To do this, navigate to Settings > Indexes and click Disable to the right of the index you want to disable.

Delete older data based on retirement policy

When data in an index reaches a specified age or when the index grows to a specified size, it rolls to the "frozen" state, at which point the indexer deletes it from the index. Just before deleting the data, the indexer can move it to an archive, depending on how you configure your retirement policy.

For more information, see Set a retirement and archiving policy.

PREVIOUS
Set up multiple indexes 		  NEXT
Optimize indexes

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Comments

An alternative way for "Remove data from one or all indexes" could be to temporarily change your retirement policy for the index you want to clean. This solution would work in a distributed environment.

Yoho
January 2, 2018

If you run the above command "splunk clean eventdata -index " as root but your splunk instance run as a splunk user (ie non root), splunk won't restart by itself. Error message can be found in the crash log about a permission problem on the index directory. Changing permissions for a delete command is a little surprising at first. So either run the command as splunk user or just correct afterward by regiving the files/directory to splunk user from the root account, which makes splunk happy again.

Matthieu araman splunk
December 3, 2014

Seems that clean eventdata command cleans single index without -index parameter. So command<br />./splunk clean eventdata test<br />cleans test -index after warning.

JuhaTamminen
April 8, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters