I was testing splunk by adding multiple servers by both syslog and splunk forwarder. But now my splunk indexer has all kinds of stuff that I don't need anymore.
I want to remove some hosts, source and source types and the data it contains. Per the document I should be able to delete by removing stanzas in indexes.conf. But i can't find the entries in it.
Please help me out.
to stop new events from coming into your indexes - remove the
If you delete stuff from indexes.conf, you remove the reference to where the indexes are located on disk. I don't think that's what you want.
If you selectively want to remove some of the information in the indexes you otherwise wish to keep - then you should type in a search that selects those events and pipe them to
Make sure that your user role has the
Whoops, now all data from badhost is gone. However, the data from goodhost is of two different sourcetypes (badtype and goodtype) - guess what:
..and it's gone as well.
You should note that this operation does NOT actually delete the data, it just prevents it from ever being returned as search results.
If you want to clean an index completely, then you should do so through the command line:
For more information regarding the clean command see: Is there a way to clean event data from a specific date range? on Splunk Answers
hope this helps,
EDIT: Missed a parameter in the clean command... oops. fixed now.
Splunk -> Manager -> Data inputs -> (Files and Directories in my own case) -> locate your data source and on the right side under "Actions", click delete.
Hope this helps
answered 15 Nov '11, 02:24