Splunk Search

How do I delete previously loaded data before new data is indexed in Splunk?

shivendra_infy
Path Finder

Hi

I am using SQL Source as my Data Source. I have written a Select query which loads data in the Database every 5 minutes. Now, what I need is before the Select query loads data in Splunk, I need to delete the previously loaded data.

0 Karma

puneethgowda
Communicator

I have the same question data is appending but old data and new data will be same some time so i am seeing less than 1,000 rows in MS sql live db and 10,000 rows in splunk which means 1000*10=10,000 but there should be 1,000 rows only as it is in ms sql i mean mirroring !:)

0 Karma

ddrillic
Ultra Champion

You can always run <base query> | delete which would delete the returned data.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Have you considered a live db lookup instead of deleting and reindexing the data every few minutes?
If you can't do a live lookup, consider writing the data into the key value store instead of indexing it. There you can delete, update, etc.

For actually indexed data, delete and update aren't valid operations.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...