Getting Data In

How to detect data supression in Splunk?

woodentree
Communicator

Hello,

There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.

Thanks for the help.

Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

woodentree
Communicator

Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...