Splunk Enterprise Security

Closing Notable Events - Set Close Datetime

gbam
Explorer

I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports.  Is there a way to use an eval query (or similar) or would it be best to use the API to close them?  Or am I SOL and I need to filter from the dashboard / report query level?

Labels (1)
0 Karma

datadevops
Path Finder

Hi there,

Eval Query for Limited Use:

While eval queries can modify certain fields, unfortunately, deleting or closing notable events directly isn't possible with them.

API Offers More Power:

The Splunk Search API is your best bet for bulk actions like closing or deleting events. You can leverage the delete or set endpoints to achieve your goal.

Filtering Still an Option:

If using the API feels daunting, consider refining your dashboard/report queries to exclude events before the specific date. Filtering might be less efficient for massive datasets, but it's a reliable route.

Remember:

  • Deleting is permanent, closing retains some data. Choose wisely!
  • Test your approach on a small sample before applying to all events.
  • Consult Splunk documentation for detailed API usage: <invalid URL removed>

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...