|
Googling for "splunk delete index" turns up http://www.splunk.com/base/Documentation/3.3/User/DeleteAnIndex Which gives this error when I use it in CLI Command error: This command has been removed. How do we delete an index in 4.1.3? edit: I'm not referring to cleaning eventdata from an index, for which Lowell's and Nicholas' answers would be correct. (Thanks though!) I'm referring to actually deleting an index from Splunk, so that it actually is removed from the indexes list in the Manager. |
|
rayfoo, go to Manager » Indexes and find your index there. Go ahead and Disable this index. Make sure you have removed all input.conf stanzas that monitor data and send it to this particular index. Once finished, restart splunk. Check to make sure that the index got disabled. Then to completely delete/remove the index go to $SPLUNK_DB/INDEX_NAME/ and either delete or move this index to a different folder. Then, go and find where the stanza for the particular index that you want to delete got saved in your indexes.conf. You can check /etc/system/local or /etc/apps/search/local/ or even /etc/apps/launcher/local/ Find and remove the stanza that is relevant to your index (the one you want to delete) Should look something like this: [test] Then restart splunk again. I believe this should be enough for you to "delete" the index and not have it show up in the indexes list on your manager page. Cheers, |
|
Your doc is pointing to the 3.3 release of splunk, which is not relevant to 4.1. Use this link instead: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk yeap, Lowell is right: * To permanently remove event data from a single index, type:
(19 Jul '10, 17:53)
Genti ♦
Thanks, but I'm not referring to cleaning eventdata (pls ref to my edit in the qn above)
(21 Jul '10, 15:40)
rayfoo
|
|
Never mind! I found the instructions for Splunk 4.2.1 to remove indexed data and completely delete the index. Remove indexed data from Splunk Completely delete an index (and not just the data contained in it) It seems to be obvious once you know it, but before then, general instructions were so vague. Thanks |
|
try this rayfoo: or this: By the way, are you trying to remove the events from that particular index? Or are you trying to moving the index to another directory? Thanks, but I'm not referring to cleaning eventdata (pls ref to my edit in the qn above)
(21 Jul '10, 15:40)
rayfoo
|
|
Has this question been answered? How do you delete and index (completelly) from Splunk 4.1.3 (not just clear events). Raj, did you get an answer to the question? I tried the old procedure, but the index is still visible (although disabled). 1
Yeps, refer to Genti's answer which I chose, right at the top of this section.
(05 Aug '10, 16:06)
rayfoo
|
|
Not sure why the debate is still ongoing, Genti's answer above contains all the information you need to remove an index
There is no feature to completely remove an index via the UI or the CLI |
|
I'm sorry to revive this thread, but as of 4.2.1, it still seems like it is still not possible to remove/delete an index using the UI or CLI. I find it somewhat bizarre that such feature just does not exist. I'm quite curious about it, as surely there must be a good reason for that. Anyone knows why? thx |
|
It is now May 7, 2011, and I am using Splunk 4.2 build 96430. Does anyone have the answer? I am new to Splunk and learning how to develop apps and to manage the system. I have followed the instruction above to remove an index. (Well, sort of! The instruction doesn't explictly spell out the "relevant index.conf" and the "all input.conf"). I located and viewed ALL index.conf and input.conf files under the $SPLUNK_HOME directory tree, but I found no trace of related stanzas or settings. Regardless of all my effords, the web screen at Splunk >> Manager >> Indexes still lists the index. Uh! On the other hand, I used the CLI to remove, but it returned a message, "Command error: This command has been removed." I wonder why the "splunk remove index {Index_Name}" command has been removed and why this version of Splunk has made a step backward, compared to the previous versions. The system seems to be OK with the disabled index, but I want to tidy up my system. I greatly appreciate any help I can get. Thanks |
|
Hi bmnguyen, Even i have been facing this issue (on Splunk 4.1.6) but have found only few links useful, sharing them here, hope they might help:
Hope these two links help. Do let me know if these helped you in resolving your issue or not. Regards, Mohit Vohra. |
