Documentation:
3.2.3
This page last updated: 04/23/08 11:04am
Remove (delete) data
With Splunk's tools, you can remove:
- indexed event data from an index
- global data in Splunk's hash database (tags, aliases)
- user account data (all of your created user accounts)
- all of the above data at once to return your Splunk installation to its original shipping state
- events from searches
Note: You must have admin level privileges to remove data.
You have two main options when removing data from Splunk:
- Use the clean command in the CLI to completely remove data (event, global, and user data) from the index. Typically, you do this before re-indexing all your data.
- Use the delete:: modifier to specify that certain events not appear in search results. Because delete:: is slower than clean, use it only if you wish to re-index a small subset of your data sources--perhaps you want to reconfigure timestamp recognition for a single data source before re-indexing it. For example, delete events from the source "foo" (delete::source::foo) if you wish to re-index the source "foo".
Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).
The CLI command: cleanThe clean CLI command deletes event data, global data, and user account data from your Splunk installation. clean takes the following arguments: eventdata, globaldata, userdata, and all.
Add the -f parameter to force clean to skip its confirmation prompts.
Note: Type ./splunk help clean to access the help page for clean while in the CLI.
Remove event data from an indexPermanently remove event data from an index on your Splunk installation by typing ./splunk clean followed by the eventdata argument. Specify an index to delete event data from a specific index. If you don't specify an index, Splunk deletes all event data from all indexes.
Examples:
This example tells Splunk to remove event data in all indexes (because no index argument is specified).
./splunk clean eventdata
This example removes indexed event data from the internal index and forces Splunk to skip the confirmation prompt.
./splunk clean eventdata internal -f
Remove global data (tags and source type aliases for events you've indexed) from your Splunk installation by typing ./splunk clean followed by the globaldata argument.
Examples:
This example removes the global data for all indexed events.
./splunk clean globaldata
This example removes the global data for all indexed events and forces Splunk to skip the confirmation prompt.
./splunk clean globaldata -f
Remove user data (user accounts you've created) from your Splunk installation by typing ./splunk clean followed by the userdata argument.
Examples:
This example removes all of the user accounts you've created.
./splunk clean userdata
This example removes the user accounts you've created and forces Splunk to skip the confirmation prompt.
./splunk clean userdata -f
Remove all global, user, and indexed event data to return Splunk to its original installation state by typing ./splunk clean followed by the all argument.
Examples:
This example removes all global, user, and indexed event data.
./splunk clean all
This example removes all global, user, and indexed event data you've created and forces Splunk to skip the confirmation prompt.
./splunk clean all -f
Use the delete:: modifier to remove events from search results based on an indexed field value, or matching a string. Access the delete:: modifier by piping any search to the oldsearch command.
The delete:: modifier doesn't delete events from the index; it masks events from being displayed in search results by tagging them with a value in the index that makes them unsearchable.
Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).
Note: oldsearch is the deprecated version of the search command.
Syntaxsearch | oldsearch delete::(host | source | sourcetype)::value
- You must express all fields, and values in the argument of delete completely in lowercase.
- You can remove events based on values of any indexed field.
- You can also remove events that match a string (delete::<string>) instead of matching a field::value pair. The strings can't contain any spaces or commas, and you can't specify multiple strings in a single argument.
Examples:
This example searches for "foo" and removes events of sourcetype=bar from the search results.
foo | oldsearch delete::sourcetype::bar
This example searches for "foo" and removes events from the host "webserver1".
foo | oldsearch delete::host::websever1
Comments
If you are having trouble using the delete command, try specifying a start time and end time within your search. For example, if you were trying to delete events from host 1.1.1.1, and the delete command does not appear to be working, trying adding starttime and endtime values that cover the date range when the events occurred:
| oldsearch starttime=01/01/08:00:00:01 endtime= 06/11/08:23:59:59 delete::host::1.1.1.1
Posted by vdemsky on Jun 12 2008, 5:14am
delete is deprecated in 3.2. In 3.2.2 you can delete data from the index by using oldsearch with the following syntax:
WebUI:
| oldsearch delete::source::foo
CLI:
./splunk search '| oldsearch delete::source::foo'
**Note that if you have caps in your source you will have to squash them in the command.
Posted by tphi on Apr 11 2008, 11:50am
In Windows, go to the \Splunk\bin\ directory. From there you can run these commands, or type splunk help clean for more options.
Posted by aoberlander on Apr 02 2008, 12:25pm
is delete command not supported or deprecated in 3.2
Posted by rajsat on Mar 14 2008, 4:46pm