Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to really delete, NOT HIDE, data from splunk

tvaniderstine
Explorer
‎09-06-2011 12:03 AM

I want to delete everything older than 90 days. I've searched and found several answers to 'how do I delete data...' where the answers have assumed that the word 'delete' equals 'hide'. I don't want to hide data, I don't want to export and reimport data. I want to delete data. I want it to be removed from my system permanantly

Is there an App that will do this or do I really have to delete everything and start over.

Alternatively, I'd be able to live with modifying the system to only store 90 days' worth of data and simply delete everything and start over.

Tags (1)
Reply

beaunewcomb
Communicator
‎09-26-2012 01:14 PM

So say I have an index that's got data in it back 120 Days, then I set this:

[indexname]
frozenTimePeriodInSecs = 7776000

I'm assuming that if I restart splunk, it will automatically go through and start deleting stuff older than 90 days on its own. Is this correct?

Reply

beaunewcomb
Communicator
‎09-26-2012 01:23 PM

Ok... weird... thanks!

0 Karma
Reply

mikelanghorst
Motivator
‎09-26-2012 01:21 PM

Yes, but with a caveat. It will only delete the buckets with the newest event is older than that.

Reply

Starlette
Contributor
‎09-06-2011 01:03 AM

Take a look at this , you have to configure this per index.
So e.g. in indexes.conf

[main]
frozenTimePeriodInSecs = 7776000

This wil delete data from the main index after 90 days (so its in seconds)

Regarding the delete on demand, you can clean per index as in :

splunk clean evendata -index "indexname"

( splunk has to stopped)

Reply

mnestorc
New Member
‎01-05-2013 11:35 AM

What do you mean by
[main]
and where would I type that command in?
I'm new to Splunk and have just set it up with 1 cisco firewall inputting syslog data. I've just barely messed with this web GUI interface.

If I want to set an auto delete policy for my data because the disk size I am using is a small 25GB drive, how do you navigate to the area to type in the command above:
frozenTimePeriodInSecs = 7776000

0 Karma
Reply

mikelanghorst
Motivator
‎09-06-2011 10:12 AM

One item to note, clean eventdata -index will delete all data in that index, no option to selectively delete data in an index.

If you need to keep some data but remove other data at the 90 mark, you'll need to keep that data in separate indexes.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top