Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to delete events from a summary-index?

gcusello
SplunkTrust
SplunkTrust
‎04-28-2016 07:19 AM

Hi,

Is it possible to delete some events (not the full index) from a summary index?
something like | delete command?

Thank you.
Giuseppe

Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎04-28-2016 10:08 AM

Hi cusello,

Yes you can delete the events using | delete command, make sure that you are adding the pipe right after your base search. Here are the delete command description and the link,

Description 

Makes events irretrievable from the Splunk Enterprise indexes.
Caution: Removing data is irreversible. If you want to get your data back after the data is deleted, you must re-index the applicable data sources.

Ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

Hope this will helps you.

Thanks,
V

V

View solution in original post

Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎04-28-2016 10:08 AM

Hi cusello,

Yes you can delete the events using | delete command, make sure that you are adding the pipe right after your base search. Here are the delete command description and the link,

Description 

Makes events irretrievable from the Splunk Enterprise indexes.
Caution: Removing data is irreversible. If you want to get your data back after the data is deleted, you must re-index the applicable data sources.

Ref: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

Hope this will helps you.

Thanks,
V

V
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-28-2016 10:18 AM

You may not have permission to use the delete command.

Reply
Solved! Jump to solution

Adan12345
Explorer
‎08-15-2023 11:37 AM

How is "delete" permissions granted to an individual users?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-28-2016 11:47 PM

Excuse me, but I probably misspoke!
My problem is that I loaded wrong events in a tsidx index using the tscollect command (BlueCoat App) and now I don't know how to delete them because I cannot use the "| delete" command after a non-streaming command 'tstats'.
How can I search events loaded in a tsidx index and delete them?
Thank you.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎04-29-2016 02:33 PM

Post your search

V
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-02-2016 05:26 AM

The load search is:

`bcoat_request`| rex field=source "(?(Proxy|Users)_.*)" | table _time action bytes_in bytes_out category cs_uri_path cs_uri_scheme cs_uri_extension dest_host filter_result http_content_type http_referrer http_user_agent sc_status src_ip src_user x_bluecoat_application_name x_virus_id dvc_ip proxysource | tscollect namespace=bluecoat_stats

It's the Splunk App for BlueCoat standard load search, the only difference is that I extract an additional field ( proxysource ).
Thank you.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎04-28-2016 10:37 AM

Perfect point.

V
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...