Deleting your indexes and indexed data

While Splunk continues to write data (events) to its indexes, you can remove specified indexed data or even an entire index from your Splunk environment. So, let's have a look at how to do this.

Deleting Splunk events

Splunk affords the delete special operator to delete events from your Splunk searches. The Splunk delete operator flags all the events returned so that future searches don't return them. This data will not be visible to any user (even admin permission users) when searching. However, just flagging this data using delete does not free up the disk space, as data is not removed from the index; it is just invisible to searches.

In Chapter 2, Advanced Searching, we discussed the Splunk search pipeline ...

Get Mastering Splunk now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Splunk by James Miller

Deleting your indexes and indexed data

Deleting Splunk events

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly