Documentation: 3.3
Print Version Contents
This page last updated: 10/02/08 03:10pm

Remove (delete) data

Use Splunk's tools to remove various types of data from your Splunk installation. With Splunk's tools, you can remove:

  • Event data from an index.
  • Global data in Splunk's hash database (tags, aliases).
  • User account data (all of your created user accounts).
  • All of the above data at once to return your Splunk installation to its original shipping state.
  • Events from searches.

Note: You must have admin privileges to remove data.

You have two main options when removing data from Splunk:

  • Use the clean command in the CLI to completely remove data (event, global, and user data) from the index. Typically, you do this before re-indexing all your data.
  • Use the delete:: modifier to specify that certain events not appear in search results. Because delete:: is slower than clean, use it only if you wish to re-index a small subset of your data sources--perhaps you want to reconfigure time stamp recognition for a single data source before re-indexing it. For example, delete events from the source "foo" (delete::source::foo) if you wish to re-index the source "foo".

Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).

The CLI command: clean

The clean CLI command deletes event data, global data, and user account data from your Splunk installation. clean takes the following arguments: eventdata, globaldata, userdata, and all.

Add the -f parameter to force clean to skip its confirmation prompts.

Note: Type ./splunk help clean to access the help page for clean while in the CLI.

Remove event data from an index

Permanently remove event data from an index on your Splunk installation by typing ./splunk clean followed by the eventdata argument. Specify an index to delete event data from a specific index. If you don't specify an index, Splunk deletes all event data from all indexes.

Examples

This example tells Splunk to remove event data in all indexes (because no index argument is specified).

./splunk clean eventdata

This example removes indexed event data from the internal index and forces Splunk to skip the confirmation prompt.

./splunk clean eventdata internal -f

Remove global data

Remove global data (tags and source type aliases for events you've indexed) from your Splunk installation by typing ./splunk clean followed by the globaldata argument.

Examples

This example removes the global data for all indexed events.

./splunk clean globaldata

This example removes the global data for all indexed events and forces Splunk to skip the confirmation prompt.

./splunk clean globaldata -f

Remove user data

Remove user data (user accounts you've created) from your Splunk installation by typing ./splunk clean followed by the userdata argument.

Examples

This example removes all of the user accounts you've created.

./splunk clean userdata

This example removes the user accounts you've created and forces Splunk to skip the confirmation prompt.

./splunk clean userdata -f

Remove all data

Remove all global, user, and indexed event data to return Splunk to its original installation state by typing ./splunk clean followed by the all argument.

Examples

This example removes all global, user, and indexed event data.

./splunk clean all

This example removes all global, user, and indexed event data you've created and forces Splunk to skip the confirmation prompt.

./splunk clean all -f

Remove events from search results

This ONLY works in the CLI.

Use the delete:: modifier to remove events from your index based on an indexed field value, or by matching a string. Access the delete:: modifier by using the oldsearch command in a CLI search.

The delete:: modifier doesn't delete events from the index; it masks events from being displayed in search results by flagging them with a value that makes them unsearchable.

Caution: Removing data is irreversible. Use caution when choosing what events to remove from searches, or what data to remove from your Splunk installation. If you want to get your data back, you must re-index the applicable data source(s).

Note: oldsearch is the deprecated version of the search command that you need to use to access the delete:: modifier.

Syntax

In the CLI:
./splunk search ' | oldsearch delete::(host | source | sourcetype)::value '

  • You must express all fields, and values in the argument of delete completely in lowercase.
  • You can remove events based on values of any indexed field.
  • You can also remove events that match a string (delete::<string>) instead of matching a field::value pair. The strings can't contain any spaces or commas, and you can't specify multiple strings in a single argument.

Note: You need to authenticate when using oldsearch delete::xxx. Use the -auth search parameter.

Examples

This example removes events of sourcetype=bar from the search results.

./splunk search ' | oldsearch delete::sourcetype::bar' -auth admin:changme

This example removes events from the host "webserver1".

./splunk search ' | oldsearch delete::host::websever1' -auth admin:changeme

Previous: Create an index    |    Next: Export event data

Comments

  1. Thanks for the response. I do have to read up on not indexing it in the first place.

    If that's the case, then what would be the command line command be then?

    Thanks
    -Mike
    Posted by marrrone on Oct 01 2008, 11:45am

  2. Hello marrrone,

    Unfortunately, there is no way to remove this data after the fact from the GUI - it needs to be from the CLI. I realize this is sub-optimal for some users; graphic data management is a major focus of upcoming releases.

    Moving forward, your best bet is to not index 529 events in the first place. The way to do that is to filter at index, rather than search time. Instructions on how to do that are here:

    http://www.splunk.com/doc/3.3/admin/FilterFromIndex

    HTH!
    Posted by jcervelli on Oct 01 2008, 9:40am

  3. Is there a way to do this from the gui?

    I'm basically trying to delete all events with an EventCode of 592 (Windows process creation). I'm using the windows version here.
    I'm evaluating splunk now, so I need to know how easy this stuff is to do.

    How can I do this?

    Thanks!
    Posted by marrrone on Oct 01 2008, 7:20am

  4. How do I delete the "WinRegistry" sourcetype and data associated? I tried the delete command and clean command til no availability.
    Posted by galbanese on Sep 24 2008, 7:45am

  5. Can you do a splunk login before you try and run the delete command. The error you are seeing is that you do not have an authenticated splunk session.
    Posted by BSplunk on Sep 15 2008, 12:46pm

  6. from the command line as root:

    ./splunk search ' | oldsearch delete::source::/var/log/HOSTS/mailhandler/2008/07/03/03'

    An authentication error occurred: Splunk requires authentication for this command. Please see "splunk help".
    Posted by foodforthehungry on Sep 11 2008, 8:58am

  7. I also have had issues trying to remove (delete) a source from a search. Syntax used:
    delete::source::/var/log/HOSTS/mailhandler/2008/07/03/03
    delete::source::"/var/log/HOSTS/mailhandler/2008/07/03/03"
    delete::source="/var/log/HOSTS/mailhandler/2008/07/03/03"

    Splunk ver Splunk 3.3.1 39933
    running on opensuse 10.3
    Posted by foodforthehungry on Sep 11 2008, 8:24am

  8. As BSplunk has stated, the oldsearch delete command should only be run from the CLI. This command is not supported via the web interface. -Splunk Support
    Posted by syep on Aug 19 2008, 1:23pm

  9. The docs are now correct and the command from the CLI should work correctly.
    Posted by BSplunk on Aug 13 2008, 1:25pm

  10. This fixed yet?
    Posted by gumshoes on Aug 13 2008, 11:25am

Log in to comment.