Why is the Splunk Web service not running after an upgrade to 6.2? Learn more »
How I can I remove specfic indexed data from an exsiting data index?
Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.
Check out http://www.splunk.com/base/Documentation/4.1.1/Admin/RemovedatafromSplunk
You can delete specific indexed data using the delete command. So in your case, you might do:
sourcetype=my_sourcetype | delete
Note that you will need to have the can_delete role and that this process is irreversible. This will NOT create disk space.
Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.
Answers and Comments
No one has followed this question yet.
Interesting Fields not getting listed as part of results.csv.gz file
What fields are displayed when using the "map" command
Top 3 results within a group from table
Share a search for multiple widgets in a Dashboard
How to store search result to variable in Splunk?