Getting Data In

Can't delete one host permanently after already deleted index

luanvn
Explorer

Now, I was uncomfortable. I can't delete one host that was displayed on search.

I already deleted it's index by splunk clean eventdata -index xxxx. But when i open search home page I can still see it.

Then I also delete that host by host = xxx | delete. After press f5. But it still display. It's really stubborn.

So, there're any way how to prevent or delete or remove that host, i don't wanna that always display my home page search?

Tags (2)
0 Karma

chimell
Motivator

Hi luanvn

Default permissions do not let you delete data but it does remove the data from the index. You can 'clean' an index of data permanently and you'll see that option in the link as well. Just make sure you want to delete the data since you can't get it back.

Updated link:

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk

0 Karma

luanvn
Explorer

Nvm, I got them. In fact my host was saved at wineventlog. So I delete all events in winevenlog by following steps:

  1. Stop splunk service
  2. Remove all event in wineventlog index by: splunk clean eventdata -index wineventlog
  3. Start splunk again.
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please let us know how you cleaned your index? With below steps??

1.) Stop splunk service on Indexer
2.) Clean your Index
3.) Start splunk service on Indexer

Thanks,
Harshil

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...