Solved: Re: How do I delete events?

the_wolverine · ‎04-16-2010

I have some data in my index that I don't want. How can I get rid of them?

the_wolverine · ‎04-16-2010

You can search for your unwanted events and then pipe them to delete. For example:

sourcetype=wantedsource | delete

It's a good idea to search for your events first and confirm that these events are the correct events.

Important notes:

The user running this command must have the delete capability or be assigned the can_delete role.
This command does not reclaim disk space. It merely masks the deleted events so that they are not returned as part of search results. To reclaim disk space, you need to clean the index -- if all of your unwanted data is in one index then you can simply clean that index. Or, set an automatic archival policy to, eventually, expire your data automatically but then you'll have wait for the trigger (size or age.)

dmaislin_splunk · ‎01-31-2012

FYI: You can only run the | delete command if you add the can_delete option in the role of the user.

tpaulsen · ‎01-31-2012

Yes, that´s what was stated in the original answer already.

tpaulsen · ‎01-31-2012

Will the deleted masked events age out as well?

the_wolverine · ‎04-16-2010

You can search for your unwanted events and then pipe them to delete. For example:

sourcetype=wantedsource | delete

It's a good idea to search for your events first and confirm that these events are the correct events.

Important notes:

The user running this command must have the delete capability or be assigned the can_delete role.
This command does not reclaim disk space. It merely masks the deleted events so that they are not returned as part of search results. To reclaim disk space, you need to clean the index -- if all of your unwanted data is in one index then you can simply clean that index. Or, set an automatic archival policy to, eventually, expire your data automatically but then you'll have wait for the trigger (size or age.)

How do I delete events?