Remove indexed data from Splunk
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Contents
Remove indexed data from Splunk
Splunk provides a special operator, delete. Before using the delete operator, read this section carefully.
Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).
Who can delete?
The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
For more information, refer to "Add users and assign roles" in this manual.
How to delete
To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events.
For example, if you want to remove the events you've already indexed from a source called /fflanda/incoming/cheese.log you have disabled/removed from showing up in any future searches, do the following:
First, search for that source:
source="/fflanda/incoming/cheese.log"
Once you've confirmed that this is the data you want to delete, pipe that search to delete:
source="/fflanda/incoming/cheese.log" | delete See the page about the delete operator in the Search Reference Manual for more examples.
Piping a search to the delete operator marks all the events returned by that search so that they are never returned by any future search. No user (even with admin permissions) will be able to see this data when searching with Splunk.
Currently, piping to delete does not reclaim disk space, but Splunk will be delivering a utility in a future release that reclaims the disk space--this will go through and permanently remove all the events marked by the delete operator. The delete operator also does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts or sourcetypes.
Delete event data from the CLI with the 'clean' command
To completely delete event data from your disk, use the clean command in the CLI to completely remove data from the index. Typically, you do this before re-indexing all your data.
Add the -f parameter to force clean to skip its confirmation prompts.
From the Splunk CLI, type ./splunk help clean to access the help page for clean.
Permanently remove event data from an index on your Splunk installation by typing ./splunk clean followed by the eventdata argument. Specify an index to delete event data from a specific index. If you don't specify an index, Splunk deletes all event data from all indexes.
Examples
Note: You must first stop Splunk before you can run any of these commands:
./splunk stop
This example tells Splunk to remove event data in all indexes (because no index argument is specified).
./splunk clean eventdata
This example removes indexed event data from the _internal index and forces Splunk to skip the confirmation prompt.
./splunk clean eventdata _internal -f