Dashboards & Visualizations

need basic directions for cleaning out indexed data

jchilovich
New Member

I'm new to the tool and just attemtping to build a POC. I have limited disk space and have reached tis limit. tried command "./splunk clean eventdata -index <???>" but
1) not positive as to how to determine what index files I should look for to finish the argument. Where do I identify each index?
2) I get folloiwng message "In order to clean, Splunked must not be running" - How do I 'turn it off'?
3) when running the above clean command, do I run this from the /bin or do I run from a different library?

0 Karma

kristian_kolb
Ultra Champion

1) when logged in, you can find the indexes, in Manager (top right) -> Indexes (middle left). You have probably all your events in the index called 'main', which is the default index.

To run the clean command, you do not need to know the directory or filenames of where the data is stored. Only the name of the index.

2) /opt/splunk/bin/splunk stop

3) see 2)

/K

0 Karma

kristian_kolb
Ultra Champion

where xxx would be seconds; 60 * 60 * 24 * 7 = 604800

0 Karma

kristian_kolb
Ultra Champion

Well, the easiest would be to set the limit on the amount of data, if you are not yet up to speed on config files.

Go into Manager -> Indexes and select the index you're putting data into (main most likely). There you can set the total amount of data the index can hold (in MB).

If you want to set the retention on age, you'll have to create/edit a config file called indexes.conf in /opt/splunk/etc/system/local, roughly like this;

[main]
frozenTimePeriodInSecs = xxx

Be aware though that messing with this file and getting it wrong, can result in an unusable system or loss of data.

/k

0 Karma

stefandagerman
Path Finder

You don't need a script.
May I suggest reading up on how to configure your index(es) to define data retention?
This may be helpful:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes
http://wiki.splunk.com/Deploy:BucketRotationAndRetention

jchilovich
New Member

Thank you. This cleared out what I needed. Can I follow up with yet another question?

What kind of script do I need (or whatever the process would be) to clean out all data after say 7 days? A weeks worth of data should be more than enough for any RCA needed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...