Re: How to delete a sourcetype from one of my inde...

newbiesplunk · ‎02-22-2015

Hi,

I have two sourcetypes forwarded to an index, but I just want to delete one of the sourcetypes from this index. What is the approach? thks

gyslainlatsa · ‎03-05-2015

hi newbiesplunk ,
if your index has one sourcetype , you can remove once the index using the next command splunk clean -index ‹indexname›

satishsdange · ‎02-22-2015

You won't able to delete partial data once data is indexed. Either you have to clean index data or follow above recommendation.

gyslainlatsa · ‎03-05-2015

hi,
your index How sourcetype?
please forgive my english

newbiesplunk · ‎02-22-2015

hi, i saw there is a rebuild index function (splunk rebuild ), can i use for my case? thks

kml_uvce · ‎02-22-2015

use this search

index=indexname sourcetype=sourecetypename|delete

this will not delete the data from the sourcetype but you will not see any data from this sourcetype in search

newbiesplunk · ‎02-22-2015

Hi, I know this search but i need to remove it permanently from the index, what will be the advise? thks

esix_splunk · ‎02-23-2015

When you delete the data via the | delete command, this marks the buckets as unsearchable and this data will be aged out via the retention period of the index.

Aside from this, you need to modify your inputs to make sure that data source isnt sent to this index anymore.

Why isnt this sufficient for your use case? Data will not be visible to user or available to search, so for all intensive purposes, the data is deleted.

How to delete a sourcetype from one of my indexes?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases