topic Re: Delete logs in Splunk Search

Delete logs

anil1432 — Thu, 10 Jun 2021 16:38:02 GMT

Hi All,

How can I delete my logs permanently

Request to delete old Splunk logs for EMS and Truvue webservices that are older than 05/17/2021.
* Long Description
Request to delete old Splunk logs for EMS (App id: 2926) and Truvue webservices (App id: 637) that are older than 05/17/2021 as required by Experian GSO as these
logs contained plain text Pll data.
As part of an Insider Threat audit currently being performed the following Splunk index was flagged as containing clear text Pll data originating from a production
host.
eits_ec_prod_us
Items in Index: Name/Address/DOB/SSN
Host names:
mckecpap043v
mckecpap044
I
alnecsap456V
alnecsap455v
Source = /logs/TRUVUEWS_V6/TRUVUEWS_V6-std.log

Re: Delete logs

danielcj — Thu, 10 Jun 2021 16:45:16 GMT

Hi,
You have to create a search that returns only the results that should be deleted (correct search terms and correct time range). After that, you should add the "delete" command.
Example:

<your_search> | delete

The data is not removed from the index, but it will not be returned on future searches. To use the command you need to run the search with an user with a role with capability "delete_by_keyword"

Re: Delete logs

anil1432 — Fri, 11 Jun 2021 05:20:44 GMT

So I need to delete only events from my from my logs. i.e from 17/05/2021 to delete events . How can I ?

Re: Delete logs

eichfuss — Fri, 11 Jun 2021 10:57:44 GMT

Hey @anil1432
you can filter your logs in the search (i.e. index=xyz host=xyz) and set the time selection (i.e. Date Range - Between - 17/05/2021 00:00:00 and 17/05/2021 24:00:00) and then type the "| delete" command, then the filtered events will me deleted (marked as deleted). The Data / events are still on the Storage / in the Index.