Splunk Search

How to delete logs permanently from an indexer in an indexer cluster using a search?

himapate
Explorer

I want to delete logs from the last 3 months permanently from each indexer present inside the indexer cluster using a search.

The search below provides me the with the output of the raw logs older than 3 months

source=* sourcetype=* host=* latest=-90d@d earliest=0

Found out that the delete command doesn't delete the logs completely from the disk and the remove command cannot be used in an indexer clustering environment.

Do I have to rely only on the bucket rolling parameter set?
Is it necessary to mention each parameter in indexes.conf, or is it enough to mention frozenTimePeriodInSecs =?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

As you note, the |delete command doesnt delete the logs from the buckets. It actually marks them as unsearchable, and then they are deleted based on the retention policy of the index those logs are in.

So as you mention, you can set the frozentimeperiodinseconds to 90 days, and it will roll all your buckets out based on a 90 day retention time. Note this applies to all sources and sourcetypes in an index. Splunk currently doesnt have the ability to age out source/sourcetypes yet in this manner.

This should also be applied from the cluster master server for index cluster, per each index you want to apply this to.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...