How to delete indexed data for a particular date?

sahoo0233 · ‎07-24-2015

Hi,

I index data on a daily basis. For indexing, I have made a monitoring path in inputs.conf, so once the file is in that path it, automatically gets indexed.

So I have made a mistake by pasting the wrong set of files in that monitoring path. Now I need to delete the particular set of files for that particular date itself.

Its urgent as we are into production right now.

richgalloway · ‎07-24-2015

Assuming you have Delete permission, search for the data you don't want and pipe it to the delete command.

index=foo source=somefile earliest=7/22/2015 00:00:00 latest=7/22/2015 23:59:59 | delete

Add qualifiers as needed to select only the data you want to delete.

---
If this reply helps you, Karma would be appreciated.

sahoo0233 · ‎07-24-2015

Hi rich,

I am a rookie in splunk, could you please help where should i give the above command, any specified path?? a small example may be!!

Thanks

richgalloway · ‎07-24-2015

Enter your command in the search bar of the Splunk web GUI. You'll need to update my example for your environment (index name, date, etc.).

---
If this reply helps you, Karma would be appreciated.

How to delete indexed data for a particular date?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability