Getting Data In

How to delete existing indexed events?

jkponnuri
Explorer

Hi,

I saw multiple junk Windows security events filling up my disk space. I now filtered unnecessary events. How can I delete those existing events? I tried... Delete and it's showing deleted successfully when I do a search with delete command, but I saw the events are not deleted. Could some one help me how to clean up existing indexed events?

Thanks,
Jay

0 Karma

murikadan
Path Finder

The post here explores a way to "to modify indexed data or prune "deleted" data from the index" might be worth a read 🙂

https://wiki.splunk.com/Community:Modifying_indexed_data_via_export_and_import

0 Karma

Lucas_K
Motivator

"Delete and it's showing deleted successfully when I do a search with delete command".

That isn't a search, its a delete command. You are seeing the status of the delete as it happens.
Those events have been marked as unsearchable and won't be shown in future searches.

Subsequent deletions over the same data won't do anything as they are already gone.

what you should be doing is

Confirm that those are the events you want deleted.
index=blah sourcetype=blah myevent

Delete the same events.
index=blah sourcetype=blah myevent | delete

You'll see it report back how many events it has "deleted" (actually hidden).

Check that no events are in that same search.
index=blah sourcetype=blah myevent

0 Karma

jkponnuri
Explorer

Hi,

Thanks for your answer, I actually want to remove the event completely and empty my disk space. If I use delete, the disk space has no change. If I delete junk events I will get 350gb empty space. Pls let me know how to remove events completely and empty disk space.

Thanks.

0 Karma

Lucas_K
Motivator

Due to internals of how splunk indexers work, selective recovery of disk space is not possible.
Reclaiming space can only be done by fully deleting ALL data inside an index.

WARNING: This is NON-EVENT-SPECIFIC and needs to be done on each search peer/indexer that has your particular index on it.

To do this jump onto your indexer.

./splunk clean eventdata -index myindexblah

This will delete ALL buckets inside that particular index. Make sure this is what you want to do 😉

0 Karma

jkponnuri
Explorer

Thanks for quick reply. So it won't be possible to delete and reclaim disk space for specific junk events in index. Thanks a lot for your answer.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jkponnuri,

From the docs http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Delete

Using the delete command marks all of the events returned by the search as deleted. Subsequent searches do not return the marked events. No user, not even a user with admin permissions, is able to view this data using Splunk Enterprise. The delete command does not reclaim disk space.

There is a complete topic on this in the documentation: Remove indexes and indexed data. It explains the four main options:

Delete events from subsequent searches.
Remove all data from one or more indexes.
Remove or disable an entire index.
Delete older data, based on a retirement policy.

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...