Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Remove indexes and indexed data

You can remove indexed data or even entire indexes from the indexer. These are the main options:

  • Delete events from subsequent searches.
  • Remove all data from one or more indexes.
  • Remove or disable an entire index.
  • Remove older data, based on a retirement policy.

Removing data is irreversible. If you want to get your data back once you've removed data using any of the techniques described in this topic, you must re-index the applicable data sources.

Delete events from subsequent searches

The Splunk search language provides the delete command to delete event data from subsequent searches.

The delete command is available only with events indexes. You cannot use it with metrics indexes

You cannot run the delete command for a real-time search. If you try to use delete during a real-time search, Splunk Enterprise will display an error.

The delete command only deletes the events from subsequent searches. The data itself remains in the index.

Who can delete?

The delete command can only be run by a user with the "delete_by_keyword" capability. By default, Splunk Enterprise ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. It's recommended that you create a special user that you log into when you intend to delete index data.

For more information, refer to Add and edit roles in Securing Splunk Enterprise.

How to delete

First run a search that returns the events you want deleted. Make sure that this search returns only the events you want to delete, and no other events. Once you're certain of that, you can pipe the results of the search to the delete command.

For example, if you want to remove the events you've indexed from a source called /fflanda/incoming/cheese.log so that they no longer appear in searches, do the following:

1. Disable or remove that source so that it no longer gets indexed.

2. Search for events from that source in your index:

source="/fflanda/incoming/cheese.log"

3. Look at the results to confirm that this is the data you want to delete.

4. Once you've confirmed that this is the data you want to delete, pipe the search to delete:

source="/fflanda/incoming/cheese.log" | delete

See the page about the delete command in the Search Reference Manual for more examples.

Note: When running Splunk on Windows, substitute the forward slashes (/) in the examples with backslashes (\).

Piping a search to the delete command marks all the events returned by that search so that subsequent searches do not return them. No user (even with admin permissions) will be able to see this data when searching.

Note: Piping to delete does not reclaim disk space. The data is not actually removed from the index; it is just invisible to searches.

The delete command does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts, or sourcetypes.

The delete operation and indexer clusters

In the normal course of index replication, the effects of a delete operation get quickly propagated across all bucket copies in the cluster, typically within a few seconds or minutes, depending on the cluster load and amount of data and buckets affected by the delete operation. During this propagation interval, a search can return results that have already been deleted.

Also, if a peer that had primary bucket copies at the time of the delete operation goes down before all the results have been propagated, some of the deletes will be lost. In that case, you must rerun the operation after the primary copies from the downed peer have been reassigned.

Remove all data from one or all indexes

To delete indexed data permanently from your disk, use the CLI clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an <index_name> argument. Typically, you run clean before re-indexing all your data.

Note: The clean command does not work on clustered indexes.

How to use the clean command

Here are the main ways to use the clean command:

  • To access the help page for clean, type:
splunk help clean
  • To permanently remove data from all indexes, type:
splunk clean eventdata
  • To permanently remove data from a single index, type:
splunk clean eventdata -index <index_name>

where <index_name> is the name of the targeted index.

  • Add the -f parameter to force clean to skip its confirmation prompts.

Important: You must stop the indexer before you run the clean command.

Note: In pre-5.0 versions of Splunk Enterprise, running the clean command caused the indexer to reset the next bucket ID value for the index to 0. Starting with version 5.0, this is no longer the case. So, if the latest bucket ID was 3, after you run clean, the next bucket ID will be 4, not 0. For more information on bucket naming conventions and the bucket ID, see What the index directories look like.

Examples

This example removes data from all indexes:

splunk stop
splunk clean eventdata 

This example removes data from the _internal index and forces Splunk to skip the confirmation prompt:

splunk stop
splunk clean eventdata -index _internal -f

Remove an index entirely

To remove an index entirely (and not just the data contained in it) from a non-clustered indexer, you can use Splunk Web or the CLI. You can also edit indexes.conf directly

Before removing an index, look through all inputs.conf files on your indexer and on any forwarders sending data to the indexer and make sure that none of the stanzas are directing data to the index you plan to delete. For example, if you want to delete an index called "nogood", make sure the following attribute/value pair does not appear in any of your input stanzas: index=nogood. Once the index has been deleted, the indexer will discard any data still being sent to that index.

To remove an index in Splunk Web, navigate to Settings > Indexes and click Delete to the right of the index you want to remove. This action deletes the index's data directories and removes the index's stanza from indexes.conf.

To remove an index through the CLI, run the splunk remove index command:

splunk remove index <index_name>

This command deletes the index's data directories and removes the index's stanza from indexes.conf.

You can run splunk remove index while the indexer is running. You do not need to restart the indexer after the command completes.

The index deletion process is ordinarily fast, but the duration depends on several factors:

  • The amount of data being deleted.
  • Whether you are currently performing heavy writes to other indexes on the same disk.
  • Whether you have a large number of small .tsidx files in the index you're deleting.

You can also remove an index by editing indexes.conf directly and deleting the index's stanza. Restart the indexer and then remove the index's directories.

To remove an index from an indexer cluster, you must edit indexes.conf and delete the index's stanza. You cannot use Splunk Web or the CLI. As with all such changes on an indexer cluster, you first edit the file on the master node and then apply the changes to the peer nodes. See Configure the peer indexes in an indexer cluster Once you've applied the indexes.conf changes and the peer nodes have restarted, remove the index's directories from each peer node.

Disable an index without removing it

Once an index is disabled, the indexer no longer accepts data targeted at it. However, disabling an index does not delete index data, and the operation is reversible.

You can disable an index in Splunk Web. To do this, navigate to Settings > Indexes and click Disable to the right of the index you want to disable. To re-enable the index, click Enable to the right of the index.

You can also disable an index with the CLI command splunk disable index:

splunk disable index <index_name>

To re-enable the index, use the splunk enable index command.

To disable an index for an indexer cluster, you must edit indexes.conf and set disabled=true in the index's stanza. You cannot use Splunk Web or the CLI. As with all such changes on an indexer cluster, you first edit the file on the master node and then apply the changes to the peer nodes. See Configure the peer indexes in an indexer cluster

Remove older data based on retirement policy

When a bucket in an index reaches a specified age or when the index grows to a specified size, the bucket rolls to the "frozen" state, at which point the indexer removes it from the index. Just before removing the bucket, the indexer can save it to an archive, depending on how you configure your retirement policy.

For more information, see Set a retirement and archiving policy.

Last modified on 03 September, 2020
Create custom indexes   Manage pipeline sets for index parallelization

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters