topic Delete specific data in cluster environment in Monitoring Splunk

Delete specific data in cluster environment

NOORULAINE — Tue, 10 Oct 2023 11:14:11 GMT

How to delete only specific data from the specific index(note: not the entire data)in clustered environment

Re: Delete specific data in cluster environment

PickleRick — Tue, 10 Oct 2023 11:43:05 GMT

With Splunk there is no way to delete data from the index other than the normal rolling oldest buckets to frozen.

There is the "delete" command but it doesn't actually delete the data from the index files (since the index files are immutable after creation and may be - as mentioned above - only rolled as a whole) but it marks that data as not searchable.

That's one of the reasons why you should test your configurations - especially the input-related elements - in a dev/test environment before deploying it to production.

Re: Delete specific data in cluster environment

gcusello — Tue, 10 Oct 2023 17:29:57 GMT

Hi @NOORULAINE ,

as @PickleRick said, it's possible to delete events (not the entire index) but it's only a logic deletion, not physical only, enabling the can_delete role for the user and it's a very dangerous feature that usually is disabled also for administrators.

The only phisical detetions are the splunk clean eventdata command, but it deletes the entire index and when a bucket rolls from cold at the end of the retention time.

Ciao.

Giuseppe