Getting Data In

How to delete a huge number of old events from the test data that has slipped in

matthewhaswell
Path Finder

Unfortunately our production Splunk was connected to a test system splunkforwarder by mistake and according to the Summary 9.5 million test events were uploaded into our main index.

Unfortunately every single one had the same timestamp of _time="1346149418" (Tue, 28 Aug 2012 10:23:38 GMT) so when I try to view or delete them then it fails with a red bar and a "Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time".

I understand the error from the other questions but I want to delete all these events and that host - but I can't clear the production index due to the error. All the events are the same (I think - we can't see them!) so I can't subdivide the search to less than 1,000,000.

Is there any other way to delete this host and these events?

Many thanks,

Matt

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you try doing this and see if it helps

index=yourindex sourcetype=yoursourcetype _time="1346149418" | head 999999 | delete

0 Karma

yannK
Splunk Employee
Splunk Employee

To selectively hide the data, check the |delete searchh command in the docs.

0 Karma

jalfrey
Communicator

The delete command only works if your search runs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...