To remove all events from host, we need to actually clean the index that is applied on that host. To clean the corresponding index, run this cli command –
Open command prompt and navigate to %SPLUNKinstallationdirectory%/bin.
splunk clean eventdata -index [indexname] –f
Example – To clean index named ‘default’
splunk clean eventdata -index default –f
Example – To clean all indexes
splunk clean eventdata –f
To allow splunk administrator to clean index ,who doesn’t know these commands, simply put these in a batch file and let the administrator run this batch file.
set /p var=Enter Splunk installation folder that has splunk.exe –
splunk clean eventdata -index main -f