Solved: How to detect data supression in Splunk?

woodentree · ‎03-18-2020

Hello,

There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.

Thanks for the help.

richgalloway · ‎03-19-2020

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-19-2020

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

woodentree · ‎03-20-2020

Thanks for the help!

How to detect data supression in Splunk?

Happy CX Day to our Community Superheroes!

Check out This Month’s Brand new Splunk Lantern Articles

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector