How I can I remove specfic indexed data from an exsiting data index?
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
Check out http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk
You can delete specific indexed data using the delete command. So in your case, you might do:
sourcetype=my_sourcetype | delete
Note that you will need to have the can_delete role and that this process is irreversible. This will NOT create disk space.
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
loadjob Encountered an error while reading file '/opt/splunk/var/run/splunk/dispatch/scheduler[...]/results.csv.gz'
how to use count(eval(httpstatus="2*")) as success count(eval(httpstatus!="2*")) as failed in search query
Why one index is replaced with "main" in summary search?
How to remove a field from WMI search query results in Splunk?
How to count the number of occurrences of a word in an event?