product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to delete data
- release date
- 2015-05-06
- last updated
- 2019-03-29
- version
- Splunk Enterprise 6.6.0, Splunk Enterprise 7.0.2
- Overview
-
When physically deleting data imported to an indexer, the procedure differs depending on whether indexer clustering is used.
There are two ways to physically delete data: use the "clean eventdata" command to delete imported data, and use "frozenTimePeriodInSecs" to shorten the data retention period.
- Reference information
- content
-
This section describes the procedure to delete the imported data from the index together with the data.
The procedure differs depending on whether indexer clustering is used or not, so please perform the deletion according to the environment.
Note that there is no way to delete data from disk only for a specific event.
For standalone configuration (non-indexer clustering environment)
Method 1: Steps to Drop Individual Indexes
【procedure】
- Stop Splunk.
example)
$SPLUNK_HOME/bin/splunk stop* $SPLUNK_HOME for default installation
Linux: /opt/splunk
Windows:C:\Program Files\splunk- Execute the following command.
example)
$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>* It is possible to delete data in index units. For example, if you specify main as <index_name>, all data accumulated in main will be deleted.
example)
$SPLUNK_HOME/bin/splunk clean eventdata -index main*If you omit -index and later, all index data will be deleted.
example)
$SPLUNK_HOME/bin/splunk clean eventdata- Start Splunk.
example)
$SPLUNK_HOME/bin/splunk startMethod 2: Using frozenTimePeriodInSecs
It is a method to change the retention period of the index to be deleted and wait for it to rotate (delete) naturally.
For details on frozenTimePeriodInSecs, see the document below.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Setaretirementandarchivingpolicy
【procedure】
- If the index whose data you want to delete has data imported by file or folder monitoring, etc., delete the settings from inputs.conf on the forwarder or indexer to prevent new data from being imported.
- Add the following stanza to indexes.conf under $SPLUNK_HOME/etc/system/local or under $SPLUNK_HOME/etc/apps/<any app>/local (create a new one if it doesn't exist).
(Setting Example)
[<削除したいindex名>]
frozenTimePeriodInSecs = 100* Specified in seconds. For example, with the above settings, if the latest timestamp among the events in the bucket is 100 seconds or more before the time of the OS where Splunk is installed, the bucket will be moved to frozen state. To do.
- Restart Splunk to apply the settings.
- After confirming that the index data has been deleted, delete the stanza set in 2 above.
- Restart Splunk again.
If you are using indexer clustering
When using the indexer clustering function, it is not possible to delete a specific index on a specific indexer.
In the case of a cluster configuration, it is possible to delete data in units of indexes from all indexers (cluster peers) by the following method.
【procedure】
- If the index whose data you want to delete has data imported by file or folder monitoring, etc., delete the settings from inputs.conf on the forwarder or indexer to prevent new data from being imported.
- Add the following stanza to indexes.conf under $SPLUNK_HOME/etc/master-apps/_cluster/local on the cluster master (create a new one if it does not exist).
(Setting Example)
[<削除したいindex名>]
frozenTimePeriodInSecs = 100* Specified in seconds. For example, with the above settings, if the latest timestamp among the events in the bucket is 100 seconds or more before the time of the OS where Splunk is installed, the bucket will be moved to frozen state. To do.
- Distribute the settings of the cluster master to the cluster peers using the following command on the CLI.
$SPLUNK_HOME/bin/splunk apply cluster-bundle*When you execute the above command, you will be prompted to confirm whether to restart all peers, so enter yes.
*The Splunk service will not be restarted just by distributing the changed frozenTimePeriodInSecs setting value, but the setting after distribution will be valid.
For details on the above commands, see the document below.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Updatepeerconfigurations
- In order to transition the buckets in the HOT stage to the WARM stage, the cluster peer will be rolled restarted from the cluster master.
$SPLUNK_HOME/bin/splunk rolling-restart cluster-peersFor details on the above commands, see the document below.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Userollingrestart
- After confirming that the index data has been deleted, delete the stanza set in 2 above.
- Execute step 3 above again.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
