Remove indexes and indexed data
You can remove indexed data or even entire indexes from the indexer. These are the main options:
- Delete events from subsequent searches.
- Remove all data from one or more indexes.
- Remove or disable an entire index.
- Delete older data, based on a retirement policy.
Caution: Removing data is irreversible. If you want to get your data back once you've removed data using any of the techniques described in this topic, you must re-index the applicable data sources.
Delete events from subsequent searches
The Splunk search language provides the special command
delete to delete event data from subsequent searches. Before using
delete , read this section carefully.
delete command is available only with events indexes. You cannot use it with metrics indexes
Note: You cannot run the
delete command during a real-time search; you cannot delete events as they come in. If you try to use
delete during a real-time search, Splunk Enterprise will display an error.
Who can delete?
delete command can only be run by a user with the "delete_by_keyword" capability. By default, Splunk Enterprise ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. It's recommended that you create a special user that you log into when you intend to delete index data.
For more information, refer to Add and edit roles in Securing Splunk Enterprise.
How to delete
First run a search that returns the events you want deleted. Make sure that this search returns only the events you want to delete, and no other events. Once you're certain of that, you can pipe the results of the search to the
For example, if you want to remove the events you've indexed from a source called
/fflanda/incoming/cheese.log so that they no longer appear in searches, do the following:
1. Disable or remove that source so that it no longer gets indexed.
2. Search for events from that source in your index:
3. Look at the results to confirm that this is the data you want to delete.
4. Once you've confirmed that this is the data you want to delete, pipe the search to
source="/fflanda/incoming/cheese.log" | delete
See the page about the delete command in the Search Reference Manual for more examples.
Note: When running Splunk on Windows, substitute the forward slashes (/) in the examples with backslashes (\).
Piping a search to the
delete command marks all the events returned by that search so that subsequent searches do not return them. No user (even with admin permissions) will be able to see this data when searching.
Note: Piping to
delete does not reclaim disk space. The data is not actually removed from the index; it is just invisible to searches.
delete command does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts, or sourcetypes.
The delete operation and indexer clusters
In the normal course of index replication, the effects of a
delete operation get quickly propagated across all bucket copies in the cluster, typically within a few seconds or minutes, depending on the cluster load and amount of data and buckets affected by the
delete operation. During this propagation interval, a search can return results that have already been deleted.
Also, if a peer that had primary bucket copies at the time of the
delete operation goes down before all the results have been propagated, some of the deletes will be lost. In that case, you must rerun the operation after the primary copies from the downed peer have been reassigned.
Remove data from one or all indexes
To delete indexed data permanently from your disk, use the CLI
clean command. This command completely deletes the data in one or all indexes, depending on whether you provide an
<index_name> argument. Typically, you run
clean before re-indexing all your data.
clean command does not work on clustered indexes.
How to use the clean command
Here are the main ways to use the
- To access the help page for
splunk help clean
- To permanently remove data from all indexes, type:
splunk clean eventdata
- To permanently remove data from a single index, type:
splunk clean eventdata -index <index_name>
<index_name> is the name of the targeted index.
- Add the
-fparameter to force
cleanto skip its confirmation prompts.
Important: You must stop the indexer before you run the
Note: In pre-5.0 versions of Splunk Enterprise, running the
clean command caused the indexer to reset the next bucket ID value for the index to 0. Starting with version 5.0, this is no longer the case. So, if the latest bucket ID was 3, after you run
clean, the next bucket ID will be 4, not 0. For more information on bucket naming conventions and the bucket ID, see What the index directories look like.
This example removes data from all indexes:
splunk stop splunk clean eventdata
This example removes data from the
_internal index and forces Splunk to skip the confirmation prompt:
splunk stop splunk clean eventdata -index _internal -f
Remove an index entirely
To remove an index entirely (and not just the data contained in it), use the CLI command
splunk remove index <index_name>
This command deletes the index's data directories and removes the index's stanza from
Before running the command, look through all
inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you plan to delete. In other words, if you want to delete an index called "nogood", make sure the following attribute/value pair does not appear in any of your input stanzas:
index=nogood. Once the index has been deleted, the indexer will discard any data still being sent to that index.
When you run
remove index, it first warns you if any of the inputs on the indexer (but not on any forwarders) are still configured to send data to the specified index. You'll see a message like this:
03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - Events from the following 3 inputs will now be discarded, since they had targeted index=zzz: 03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - type: monitor, id: /home/v/syslog-avg-1000-lines 03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - type: monitor, id: /mnt/kickstart/internal/fermi 03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - type: monitor, id: /mnt/kickstart/internal/flights
You can run
remove index while
splunkd is running. You do not need to restart
splunkd after the command completes.
The index deletion process is ordinarily fast, but the duration depends on several factors:
- The amount of data being deleted.
- Whether you are currently performing heavy writes to other indexes on the same disk.
- Whether you have a large number of small
.tsidxfiles in the index you're deleting.
Disable an index without deleting it
disable index CLI command to disable an index without deleting it:
splunk disable index <index_name>
remove index command,
disable index does not delete index data, and it is reversible (with the
enable index command). However, once an index is disabled,
splunkd will no longer accept data targeted at it.
You can also disable an index in Splunk Web. To do this, navigate to Settings > Indexes and click Disable to the right of the index you want to disable.
Delete older data based on retirement policy
When data in an index reaches a specified age or when the index grows to a specified size, it rolls to the "frozen" state, at which point the indexer deletes it from the index. Just before deleting the data, the indexer can move it to an archive, depending on how you configure your retirement policy.
For more information, see Set a retirement and archiving policy.
Create custom indexes
Manage pipeline sets for index parallelization
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4