I am trying to delete events but the events not getting deleted i can see those events.
Below command i am use to delete.
i got the results what i need to delete.
But still the events are there the query runs success full. i am not sure why it is happening
ex: index=xyz source=abc |delete
Thanks in advance
Do you have indexer cluster?
If yes, then read this
But still i can see the events
Run this search first
index=xyz source=abc |timechart count by splunk_server limit=0
Later, run the below search on each indexer server that are listed in splunk_server
index=xyz source=abc |delete
The delete command should give output of how many events it's deleting from each indexer, are you getting that? Do you use indexer cluster? It may take a while for data to be deleted completely from all nodes of indexer cluster.