how do I remove a source

juriggs · ‎07-05-2013

Ok, this is massively frustrating. I downloaded Splunk and installed it on my computer. I ran through the tutorials just to get a feel for how the thing worked. To start, I just indexed some of the logs on my local machine. Now I want to get rid of those sources... and I mean I want them GONE. I want the data gone, I want my disk space back, and I don't want the source to show up in the list on the search page. This REALLY shouldn't be so hard... why in the world isn't this as simple as adding data?

seanbarbour · ‎07-08-2013

Using the delete command will remove the sources from showing up in the search without removing all of the data from the main index. This should cleanup the dashboard.

For the future setup a test index that will allow you to test new inputs and use as a sandbox, this way you have an index you can use the clean command on without affecting the other indexes.

juriggs · ‎07-08-2013

Thanks for the link, but I think I'm going to have a hard time explaining to management that we can't clean the dashboard and make it readable, or reclaim our disk space.

If anyone from Splunk hangs out on this board, I'd love to hear the reasoning behind this "feature" so that I can try to make a case...

Thanks,

Justin

linu1988 · ‎07-05-2013

You can't delete the sources itself. If you want to delete the data in your indexes, please use the below command

Stop splunkd

Go to -> splunk//bin folder
splunk clean eventdata. Your data will be cleaned from the indexes.

Please refer this:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/RemovedatafromSplunk

how do I remove a source

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor