Why is the Splunk Web service not running after an upgrade to 6.2? Learn more »
How I can I remove specfic indexed data from an exsiting data index?
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
Check out http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk
You can delete specific indexed data using the delete command. So in your case, you might do:
sourcetype=my_sourcetype | delete
Note that you will need to have the can_delete role and that this process is irreversible. This will NOT create disk space.
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
Compare two searches and show differences
Search for multiple hosts in parameterized search
is there a logical OR available for searching?
Compute some stats without discarding full results
Percentage in range - numeric search?