Deleted events still showing in search summary

hughroberts · ‎11-30-2013

Hi all

I deleted a large number of events taken through a UniversalForwarder (v5.0.3) using the | delete command.

However these events are still showing up in the event counts on the Search summary page, they don't show up in a regular search only on the summary page.

Is there any way to fix these count totals?

Set up is clustered environment with 2 indexers, one cluster master and one search head, all servers are v5.0.3 running on Windows 2008.

gkanapathy · ‎11-30-2013

It can take some time (as much as an hour or so) for the metadata to be updated after a delete command.

hughroberts · ‎12-01-2013

thanks for the tip, its been that way for 24 hours, think there is a bucket issue, am looking at doing a meta.dirty to force a rebuild of the metsdata.

ShaneNewman · ‎11-30-2013

Is there a chance you have used search optimization? If you have, splunk creates a summary index, meaning the historical data will still be in that summary index.

hughroberts · ‎12-01-2013

hmmmm, should not be on for that specific index but its a possible, thanks for the tip, its give me some things to investigate

Deleted events still showing in search summary

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life