Deployment Architecture

I am trying to delete events but still i can able to see those events?

pha
New Member

I am trying to delete events but the events not getting deleted i can see those events.
Below command i am use to delete.
i got the results what i need to delete.
But still the events are there the query runs success full. i am not sure why it is happening

ex: index=xyz source=abc |delete

Thanks in advance

Tags (1)
0 Karma

somesoni2
Revered Legend
0 Karma

pha
New Member

But still i can see the events

0 Karma

imthesplunker
Path Finder

Run this search first
index=xyz source=abc |timechart count by splunk_server limit=0

Later, run the below search on each indexer server that are listed in splunk_server
index=xyz source=abc |delete

0 Karma

somesoni2
Revered Legend

The delete command should give output of how many events it's deleting from each indexer, are you getting that? Do you use indexer cluster? It may take a while for data to be deleted completely from all nodes of indexer cluster.

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...