topic Re: How to use a delete command in splunk...? in Getting Data In

How to use a delete command in splunk...?

prakash007 — Tue, 29 Sep 2020 09:50:04 GMT

I cannot delete the events in splunk, i did append this search with delete command..I'm looking to delete the events which have "checkout/infuse.jspmethod=KRA&servervi=" this words....i do have can_delete and delete_by_keyword role to my access...

index=* sourcetype=webserver_logs source="/opt/ihs/access/*/log/access*log" 
"*checkout/infuse.jspmethod=KRA&servervi=*" | delete

Re: How to use a delete command in splunk...?

cpetterborg — Tue, 31 May 2016 22:14:52 GMT

Are you getting any error messages?

Re: How to use a delete command in splunk...?

woodcock — Wed, 01 Jun 2016 00:09:47 GMT

Make sure that you (one of the roles of which you are a member) has the delete permission.

Re: How to use a delete command in splunk...?

prakash007 — Wed, 01 Jun 2016 00:28:41 GMT

nope, i'm not getting any error message, even i tried deleting a single event without asterisks, it doesn't work.

Re: How to use a delete command in splunk...?

prakash007 — Tue, 29 Sep 2020 09:52:34 GMT

I do have can_delete and delete_by_keyword access in my role.

Re: How to use a delete command in splunk...?

pradeepkumarg — Wed, 01 Jun 2016 01:57:01 GMT

Without the delete, do you get the results back for your search?

Re: How to use a delete command in splunk...?

prakash007 — Wed, 01 Jun 2016 03:30:55 GMT

yes i do get the results without delete.

Re: How to use a delete command in splunk...?

jkat54 — Wed, 01 Jun 2016 10:32:52 GMT

Is/are the index(Es) you're deleting from owned by the splunkd user account? Check the filesystem permissions on the indexes to verify if so.

Also check the search.log by running your delete search and then click on inspect job, then click on search.log. Look in that log for errors, warnings, etc

Re: How to use a delete command in splunk...?

prakash007 — Wed, 01 Jun 2016 14:04:54 GMT

I don't think delete would delete events from indexers, it only make events non searchable by users. correct me if i'm wrong

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

when i run the query it's just sitting there for a while and says the search job is expired. It's happening even when i run the search for 1hr or 1day.

Re: How to use a delete command in splunk...?

jkat54 — Wed, 01 Jun 2016 14:24:44 GMT

It needs write permission to write a deleted flag; no?

Re: How to use a delete command in splunk...?

kbrown_splunk — Tue, 29 Sep 2020 09:50:21 GMT

First your search command is fine.

Setting can_delete will allow you to delete. (Make sure you remove can_delete when you are done.)

Anything is possible with permissions but it is likely good if you are indexing data into the index

We do not have write/read permissions in our roles, splunkd writes, you read, unless you set can_delete. The roles can restrict the index you are allowed to use but you said your search returns events so you are good there.

Are your indexers clustered?

See this section in the link below: "The delete operation and indexer clusters"
http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

As already mentioned, check splunkd.log for errors

Re: How to use a delete command in splunk...?

jward6004 — Tue, 04 Oct 2016 16:27:59 GMT

How would I setup a scheduled search to check if the delete command was run in my environment?

Re: How to use a delete command in splunk...?

jkat54 — Tue, 04 Oct 2016 16:51:33 GMT

This is a different question. Click on the gear button on the upper right corner of your comment, and select "convert to question" in order to convert your answer to a question.

The solution is very simple and I'll be happy to help you once you convert this to your own question.

Re: How to use a delete command in splunk...?

woodcock — Tue, 18 Oct 2016 13:54:25 GMT

If the job is timing out it is because you have a huge number of events being returned. When you run the search, click on the "jobs" menu and select "Send job to background" and give it an email address to send you an email when it is done. This will keep the job from timing out.