I'm writing a Splunk App and looking for a few pointers on how to approach the following:
It is technically possible to do what you are asking: create a service account that has permissions to run Splunk queries that use the delete
command, which does not delete data from the underlying storage but does prevent the events from being returned in searches. Here's some documentation on this:
https://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/RemovedatafromSplunk
And then it is possible to feed Splunk new events with the same timestamps as the prior events but with revised data.
However, this is a terrible idea. Allowing a service account to delete data at will is asking for trouble. Even though you can, you definitely should not.
By far, your best bet is to go with your final suggestion - to log all the events/data and use SPL to find the correct data. This means you should give some good thought now, while you are architecting your script and processes, to how you will correlate revised logs and clearly identify them.
It is technically possible to do what you are asking: create a service account that has permissions to run Splunk queries that use the delete
command, which does not delete data from the underlying storage but does prevent the events from being returned in searches. Here's some documentation on this:
https://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/RemovedatafromSplunk
And then it is possible to feed Splunk new events with the same timestamps as the prior events but with revised data.
However, this is a terrible idea. Allowing a service account to delete data at will is asking for trouble. Even though you can, you definitely should not.
By far, your best bet is to go with your final suggestion - to log all the events/data and use SPL to find the correct data. This means you should give some good thought now, while you are architecting your script and processes, to how you will correlate revised logs and clearly identify them.
Once events have been indexed they cannot be changed in any way. Your only option is as you've already surmised - index the updated event and use SPL to filter out old events and only look at ones with the most recent indexed-on-date.