- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to remove data from a bucket for a specifi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to remove data from a bucket for a specified period of time?
I want to remove the data for a specified period of time from the bucket.
I will be able to delete the data in the command " | delete" of the search query,
I think this method is hidden from the search results, the data in the bucket and not deleted.
One of the ways that I have thought is the following methods.
splunk cmd exporttool <warm_buckets> -et <buckets_earliest_time> -lt <specified_start_time> -csv
splunk cmd exporttool <warm_buckets> -et <specified_end_time> -lt <buckets_latest_time> -csv
.
exsample:
The contains data from 2014/09/01 to 2014/09/30 and I want to remove the data from 2014/09/10 to 2014/09/20.
Execute following command.
splunk cmd exporttool <warm_buckets> ex_1.csv -et 2014/09/01(epochtime) -lt 2014/09/09(epochtime) -csv
splunk cmd exporttool <warm_buckets> ex_2.csv -et 2014/09/21(epochtime) -lt 2014/09/30(epochtime) -csv
.
Delete and import these two csv file.
Although I think you can completely remove the only data for the period is in this way,
Would not the smart way to another?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to know what you are doing before deleting any bucket. If you proceed do it at your own risk.
The general steps are the following:
1) To be safe stop splunkd.
2) Select the splunk indexer and index you want to delete a bucket from.
3) From the selected indexer: a) Run the following splunk query with the period of time you may want to delete events from.
|dbinspect index=your_index_name |
4) If you are running 6.x, the returned fields will be these:
bucketId endEpoch eventCount guId hostCount id index modTime path rawSize sizeOnDiskMB sourceCount sourceTypeCount splunk_server startEpoch state
5) endEpoch and startEpoch show the earliest and latest events contained in the bucket. The bucket file system path is found in field "path".
6) Delete the bucket that you need to. For unix run " rm -rf path"
As I said, You need to know what you are doing before deleting any bucket from the file system.
I hope these steps will help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the delete command If the bucket you want to delete has a period from 2014/09/01 to 2014/03/30, but, you only want to delete events from 2014/09/10 to 2014/09/20.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The delete command can't the indexed data.
It's only hidden from search result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer.
I'll give you a pretty rough-hewn example.
I have a one bucket per month.
The contains data from 2014/09/01 to 2014/09/30.
But I want to remove the data from 2014/09/10 to 2014/09/20.
If only delete the bucket, It's deleted I don't want to delete.
I want to remain from 2014/09/01 to 2014/09/09 and from 2014/09/21 to 2014/09/30.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
