Getting Data In

Deleting audit events will be logged in the internal index?

New Member

I wonder if the activity of deleting audit events from Splunk cloud will be logged/tracked in Splunk internal logs, e.g. logged as sourcetype of splunk_ui_access. If so, is there an official document that clearly states this? Is there any other evidence that someone deleted audit events?

0 Karma

Esteemed Legend

Hi @just4testsplunk_2020,
all the events aren't deleted in Spluk (on premise or cloud) during the retention period until is reached the max dimension of the index: the oldest events are deleted only when they exceed the retention period or the max dimension of the index, if there isn't a coldToFrozenScript that archives them off line.

If you don't see events, check the retention period (usually in Splunk Cloud it's 3 months) and the max dimension of your storage, if you need more storage or more retention you have to buy them.


0 Karma

New Member

Thanks for your response! Maybe my question is not clear enough. Sorry about that. My question is that if someone with admin role deletes audit events or some other events, e.g. index=audit | delete, this activity will be logged as an event into index=_internal? In other words, if some deletes events by running the delete command, it can be traced and trackable, correct? Thanks.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...