Solved: Problems Deleting Data in Splunk 6

conner9 · ‎10-29-2013

Trying to delete data from an index for a specific day, and keep getting an error.

index=os sourcetype=ps provides 600k results for a single day.

index=os sourcetype=ps | delete results in "job terminated unexpectedly" "search terminated because of an error"

Yes the account has the delete functionality.

Thanks in advance for any thoughts.

conner9 · ‎10-29-2013

I found my particular problem. Some of the files in my index directory were owned by root, and it was preventing my deletes from taking affect. As soon as I reset ownership to splunk:splunk, it started working again.

View solution in original post

conner9 · ‎10-29-2013

I found my particular problem. Some of the files in my index directory were owned by root, and it was preventing my deletes from taking affect. As soon as I reset ownership to splunk:splunk, it started working again.

jtrucks · ‎10-29-2013

Have you tried deleting data for only a couple hours or some other shorter period of time? It is possible you are hitting resource constraints that are messing with the completion of the job.

--
Jesse Trucks
Minister of Magic

conner9 · ‎10-29-2013

I did, and it was still failing.

Problems Deleting Data in Splunk 6

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk