Getting Data In

how to really delete, NOT HIDE, data from splunk

tvaniderstine
Explorer

I want to delete everything older than 90 days. I've searched and found several answers to 'how do I delete data...' where the answers have assumed that the word 'delete' equals 'hide'. I don't want to hide data, I don't want to export and reimport data. I want to delete data. I want it to be removed from my system permanantly

Is there an App that will do this or do I really have to delete everything and start over.

Alternatively, I'd be able to live with modifying the system to only store 90 days' worth of data and simply delete everything and start over.

Tags (1)

beaunewcomb
Communicator

So say I have an index that's got data in it back 120 Days, then I set this:

[indexname]
frozenTimePeriodInSecs = 7776000

I'm assuming that if I restart splunk, it will automatically go through and start deleting stuff older than 90 days on its own. Is this correct?

beaunewcomb
Communicator

Ok... weird... thanks!

0 Karma

mikelanghorst
Motivator

Yes, but with a caveat. It will only delete the buckets with the newest event is older than that.

Starlette
Contributor

Take a look at this , you have to configure this per index.
So e.g. in indexes.conf

[main]
frozenTimePeriodInSecs = 7776000

This wil delete data from the main index after 90 days (so its in seconds)

Regarding the delete on demand, you can clean per index as in :

splunk clean evendata -index "indexname"

( splunk has to stopped)

mnestorc
New Member

What do you mean by
[main]
and where would I type that command in?
I'm new to Splunk and have just set it up with 1 cisco firewall inputting syslog data. I've just barely messed with this web GUI interface.

If I want to set an auto delete policy for my data because the disk size I am using is a small 25GB drive, how do you navigate to the area to type in the command above:
frozenTimePeriodInSecs = 7776000

0 Karma

mikelanghorst
Motivator

One item to note, clean eventdata -index will delete all data in that index, no option to selectively delete data in an index.

If you need to keep some data but remove other data at the 90 mark, you'll need to keep that data in separate indexes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...