Getting Data In
Highlighted

How to detect data supression in Splunk?

Path Finder

Hello,

There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.

Thanks for the help.

Tags (3)
0 Karma
Highlighted

Re: How to detect data supression in Splunk?

SplunkTrust
SplunkTrust

You could search remotesearches.log for "| delete".
To find CLI commands, you have to be indexing the .bash
history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to detect data supression in Splunk?

Path Finder

Thanks for the help!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.