Hi,
How do I remove Sources from my 'Sources Indexed'?
Thx.
The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkAdministration: How do I remove Sources
Previous Topic: splunk-wmi crashes regularly | Next Topic: One sourcetype, 2 record formats.. is it possible to use tranform fields?
Posts 1–4 of 4
You got a developer answer on removing data from indexes - there is a nice command that deletes all data in indexes too. Don't go running rm -rf; let us do it safely for you ;)
cd into splunk's bin dir (usually in /opt/splunk/bin)
./splunk index-clean [indexname]
Removes the specified index. With no argument it removes all indexes. Equivalent to clean-index.
./splunk clean-all
Permanently erases all indexes, Saved Splunks, Live Splunks, event type and source type metadata, and statistics.
More documentation on the topic can be found here: http://www.splunk.com/doc/3.0/admin/DeleteFromIndex
I've seen this response to this same question twice, but it's not an answer to removing sources... it's an answer to how to clean an index. :(
Use the delete command on the source: