Deployment Architecture

I am trying to delete events but still i can able to see those events?

pha
New Member

I am trying to delete events but the events not getting deleted i can see those events.
Below command i am use to delete.
i got the results what i need to delete.
But still the events are there the query runs success full. i am not sure why it is happening

ex: index=xyz source=abc |delete

Thanks in advance

Tags (1)
0 Karma

somesoni2
Revered Legend
0 Karma

pha
New Member

But still i can see the events

0 Karma

imthesplunker
Path Finder

Run this search first
index=xyz source=abc |timechart count by splunk_server limit=0

Later, run the below search on each indexer server that are listed in splunk_server
index=xyz source=abc |delete

0 Karma

somesoni2
Revered Legend

The delete command should give output of how many events it's deleting from each indexer, are you getting that? Do you use indexer cluster? It may take a while for data to be deleted completely from all nodes of indexer cluster.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...