Getting Data In

How to use a delete command in splunk...?

prakash007
Builder

I cannot delete the events in splunk, i did append this search with delete command..I'm looking to delete the events which have "checkout/infuse.jspmethod=KRA&servervi=" this words....i do have can_delete and delete_by_keyword role to my access...

index=* sourcetype=webserver_logs source="/opt/ihs/access/*/log/access*log" 
"*checkout/infuse.jspmethod=KRA&servervi=*" | delete
Tags (2)
0 Karma

woodcock
Esteemed Legend

If the job is timing out it is because you have a huge number of events being returned. When you run the search, click on the "jobs" menu and select "Send job to background" and give it an email address to send you an email when it is done. This will keep the job from timing out.

0 Karma

jward6004
Explorer

How would I setup a scheduled search to check if the delete command was run in my environment?

0 Karma

jkat54
SplunkTrust
SplunkTrust

This is a different question. Click on the gear button on the upper right corner of your comment, and select "convert to question" in order to convert your answer to a question.

The solution is very simple and I'll be happy to help you once you convert this to your own question.

0 Karma

kbrown_splunk
Splunk Employee
Splunk Employee

First your search command is fine.

Setting can_delete will allow you to delete. (Make sure you remove can_delete when you are done.)

Anything is possible with permissions but it is likely good if you are indexing data into the index

We do not have write/read permissions in our roles, splunkd writes, you read, unless you set can_delete. The roles can restrict the index you are allowed to use but you said your search returns events so you are good there.

Are your indexers clustered?

See this section in the link below: "The delete operation and indexer clusters"
http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

As already mentioned, check splunkd.log for errors

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is/are the index(Es) you're deleting from owned by the splunkd user account? Check the filesystem permissions on the indexes to verify if so.

Also check the search.log by running your delete search and then click on inspect job, then click on search.log. Look in that log for errors, warnings, etc

0 Karma

prakash007
Builder

I don't think delete would delete events from indexers, it only make events non searchable by users. correct me if i'm wrong

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

when i run the query it's just sitting there for a while and says the search job is expired. It's happening even when i run the search for 1hr or 1day.

0 Karma

jkat54
SplunkTrust
SplunkTrust

It needs write permission to write a deleted flag; no?

0 Karma

prakash007
Builder

I do have can_delete and delete_by_keyword access in my role.

0 Karma

pradeepkumarg
Influencer

Without the delete, do you get the results back for your search?

0 Karma

prakash007
Builder

yes i do get the results without delete.

0 Karma

woodcock
Esteemed Legend

Make sure that you (one of the roles of which you are a member) has the delete permission.

cpetterborg
SplunkTrust
SplunkTrust

Are you getting any error messages?

0 Karma

prakash007
Builder

nope, i'm not getting any error message, even i tried deleting a single event without asterisks, it doesn't work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...