Knowledge Management

Cleaning up an index

amirarsalan
Explorer

Hi!
I need help with cleaning up an index.
What I need help with is that I need to know what is being searched for, how much it is searched for, which sources and which unnecessary information can be removed.
How can I do this in the best way

0 Karma

nickhills
Ultra Champion

You cant 'really' remove data from an index (I'll come back to that)

Data is only deleted when the whole bucket is removed - and this occurs only when the bucket rolls from cold to frozen (the default frozen action is to delete, unless you have configured it to do something else.) This occurs when a.) you run out of space in your index, or b.) the data has met its retention policy, and is now ready for removal.

Your question seems to be around selectively 'deleting' some of the data from the index - this is 'sort of' possible, but with some major limitations, however I think we should start by asking - "Why do you want to delete it?"

There are a few reasons I can think of for "Why"
1.) Make Splunk faster - this wont work, selectively removing data has no impact on performance (if anything, it might slow things down)
2.) There is sensitive data my auditors have found and we want to remove it - sadly, this wont work either. When you |delete data, its never actually removed from the index, it is simply hidden from view, but the data is still on your indexer - if you are looking at this from an audit perspective this won't truthfully address their concern as with relatively little effort, deleted data can be un-deleted or read . (I don't judge how well you sleep at night)
3.) The data is sensitive, and only certain people should have access to it - in a pinch this would work, but ideally you should start by separating data into different indexes so you can apply restrictions etc.
4.) Maybe you have another reason?

To get an idea of what data is being searched you can use the _audit index, but to get the detail you requested could be quite complex.

If my comment helps, please give it a thumbs up!
0 Karma

amirarsalan
Explorer

The reason was actually that you said.
Then i Understand.
@nickhillscpl another question then. How can i see what users are searching for in a specific index?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...