How I can I remove specfic indexed data from an exsiting data index?
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
Check out http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk
You can delete specific indexed data using the delete command. So in your case, you might do:
sourcetype=my_sourcetype | delete
Note that you will need to have the can_delete role and that this process is irreversible. This will NOT create disk space.
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
list "top" command question
Passing results to next command one at a time and using event results in parameters
In a Distributed Search environment, how do I restrict what indexes (or sources) the Search head sees on the Search Peer?
squid and ips logs OR squid and webseal log compare
why is eval not taking value of Parameter from ConvertToIntention?