You cant 'really' remove data from an index (I'll come back to that)

Data is only deleted when the whole bucket is removed - and this occurs only when the bucket rolls from cold to frozen (the default frozen action is to delete, unless you have configured it to do something else.) This occurs when a.) you run out of space in your index, or b.) the data has met its retention policy, and is now ready for removal.

Your question seems to be around selectively 'deleting' some of the data from the index - this is 'sort of' possible, but with some major limitations, however I think we should start by asking - "Why do you want to delete it?"

There are a few reasons I can think of for "Why"
1.) Make Splunk faster - this wont work, selectively removing data has no impact on performance (if anything, it might slow things down)
2.) There is sensitive data my auditors have found and we want to remove it - sadly, this wont work either. When you |delete data, its never actually removed from the index, it is simply hidden from view, but the data is still on your indexer - if you are looking at this from an audit perspective this won't truthfully address their concern as with relatively little effort, deleted data can be un-deleted or read . (I don't judge how well you sleep at night)
3.) The data is sensitive, and only certain people should have access to it - in a pinch this would work, but ideally you should start by separating data into different indexes so you can apply restrictions etc.
4.) Maybe you have another reason?

To get an idea of what data is being searched you can use the _audit index, but to get the detail you requested could be quite complex.