Getting Data In

How to detect data supression in Splunk?

woodentree
Communicator

Hello,

There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.

Thanks for the help.

Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

woodentree
Communicator

Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...