I am trying to delete events but still i can able ...

pha · ‎07-25-2018

I am trying to delete events but the events not getting deleted i can see those events.
Below command i am use to delete.
i got the results what i need to delete.
But still the events are there the query runs success full. i am not sure why it is happening

ex: index=xyz source=abc |delete

Thanks in advance

somesoni2 · ‎07-25-2018

Do you have indexer cluster?
If yes, then read this
http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/RemovedatafromSplunk#The_delete_operation_...

pha · ‎07-25-2018

But still i can see the events

imthesplunker · ‎07-25-2018

Run this search first
index=xyz source=abc |timechart count by splunk_server limit=0

Later, run the below search on each indexer server that are listed in splunk_server
index=xyz source=abc |delete

somesoni2 · ‎07-25-2018

The delete command should give output of how many events it's deleting from each indexer, are you getting that? Do you use indexer cluster? It may take a while for data to be deleted completely from all nodes of indexer cluster.

I am trying to delete events but still i can able to see those events?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?