Are you a Splunk Community MVP? Apply for membership in the SplunkTrust! For more details, read this blog post about it »
How I can I remove specfic indexed data from an exsiting data index?
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
Check out http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk
You can delete specific indexed data using the delete command. So in your case, you might do:
sourcetype=my_sourcetype | delete
Note that you will need to have the can_delete role and that this process is irreversible. This will NOT create disk space.
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
Color table rows with different colors in Splunk 6.x Dashboard Examples
get source file names containing a specific value without search through every event within
How to run three different searches on click of a submitbutton?
How to show more than 50 events on a page in 6.x?
What is the quickest way to see if a host was ever indexed in Splunk?