Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove Old Summary Index

clincg
Path Finder
‎08-03-2010 09:29 PM

Hi - does anyone know how to remove old summary index data? I have a few summary indexes saved in the system that was running the wrong query and thus indexed the wrong data. Every time I pull the data from that summary index report it will mix the wrong data into the result. We wanted to start over again, is there anyway to delete a particular summary index data or just clear that particular summary index report?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎08-04-2010 12:21 PM

You should be able to keep the incorrect data from showing up with | delete. Come up with a search that only shows the bad data as a result, and then pipe it to delete. Note that this will not actually delete the data out of the index, but prevent it from showing up in future searches.

More info: http://www.splunk.com/base/Documentation/latest/Admin/RemovedatafromSplunk

Reply
Solved! Jump to solution

clincg
Path Finder
‎08-04-2010 10:19 PM

Thanks, the " | delete" actually works. Never thought of the "delete" command works for the summary index data as well.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-03-2010 10:40 PM

You can delete the contents of the summary index by running :

$SPLUNK_HOME/bin/splunk stop

$SPLUNK_HOME/bin/splunk clean eventdata -index summary

Note that this will completely wipe that index, no events will be kept.

EDIT : The python script $SPLUNK_HOME/bin/fill_summary_index.py can be used to back-fill the summary index.

For more information about the usage of that script, see :

http://www.splunk.com/base/Documentation/4.1.4/Knowledge/Managesummaryindexgapsandoverlaps#Use_the_b...

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎08-04-2010 09:39 PM

I stand corrected, then. Thanks, G!

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-04-2010 06:09 PM

Backfilling does not require much work (in 4.x and up). Splunk comes with a backfill script that can backfill any summary index (or set of them) over any period with a single command line.

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...