You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
How I can I remove specfic indexed data from an exsiting data index?
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
Check out http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk
You can delete specific indexed data using the delete command. So in your case, you might do:
sourcetype=my_sourcetype | delete
Note that you will need to have the can_delete role and that this process is irreversible. This will NOT create disk space.
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
limiting the number of lines within the search
Limit Search by timeframe
How to find all unmatched records in two sources type by using multiple fields?
Distributed Search and Lookups
How to build search query in Sideview Utils to utilize values chosen from 2 pull-down menus?