Solved: How to detect data supression in Splunk?

woodentree · ‎03-18-2020

Hello,

There are few ways to suppress data in Splunk, like | delete command from search menu or splunk clean eventdata from shell. I wondering to know if there is a simple way to generate an alert when someone suppress data from Splunk.

Thanks for the help.

richgalloway · ‎03-19-2020

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-19-2020

You could search remote_searches.log for "| delete".
To find CLI commands, you have to be indexing the .bash_history file of every user who can run the splunk clean command. Then it's a simple matter to search command histories for the command.

A clarification: splunk clean eventdata does not suppress data, it erases it.

---
If this reply helps you, Karma would be appreciated.

woodentree · ‎03-20-2020

Thanks for the help!

How to detect data supression in Splunk?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How to detect data supression in Splunk?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud