https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492962#M84263 <P>Hello,</P> <P>There are few ways to suppress data in Splunk, like <CODE>| delete</CODE> command from search menu or <CODE>splunk clean eventdata</CODE> from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.</P> <P>Thanks for the help.</P> Wed, 18 Mar 2020 16:05:45 GMT woodentree 2020-03-18T16:05:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492962#M84263 <P>Hello,</P> <P>There are few ways to suppress data in Splunk, like <CODE>| delete</CODE> command from search menu or <CODE>splunk clean eventdata</CODE> from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.</P> <P>Thanks for the help.</P> Wed, 18 Mar 2020 16:05:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492962#M84263 woodentree 2020-03-18T16:05:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492963#M84264 <P>You could search remote_searches.log for "| delete". <BR /> To find CLI commands, you have to be indexing the .bash_history file of every user who can run the <CODE>splunk clean</CODE> command. Then it's a simple matter to search command histories for the command.</P> <P>A clarification: <CODE>splunk clean eventdata</CODE> does not <EM>suppress</EM> data, it <EM>erases</EM> it.</P> Wed, 30 Sep 2020 04:39:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492963#M84264 richgalloway 2020-09-30T04:39:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492964#M84265 <P>Thanks for the help!</P> Fri, 20 Mar 2020 13:44:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-data-supression-in-Splunk/m-p/492964#M84265 woodentree 2020-03-20T13:44:42Z