Splunk Enterprise Security

Closing Notable Events - Set Close Datetime

gbam
Explorer

I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports.  Is there a way to use an eval query (or similar) or would it be best to use the API to close them?  Or am I SOL and I need to filter from the dashboard / report query level?

Labels (1)
0 Karma

datadevops
Path Finder

Hi there,

Eval Query for Limited Use:

While eval queries can modify certain fields, unfortunately, deleting or closing notable events directly isn't possible with them.

API Offers More Power:

The Splunk Search API is your best bet for bulk actions like closing or deleting events. You can leverage the delete or set endpoints to achieve your goal.

Filtering Still an Option:

If using the API feels daunting, consider refining your dashboard/report queries to exclude events before the specific date. Filtering might be less efficient for massive datasets, but it's a reliable route.

Remember:

  • Deleting is permanent, closing retains some data. Choose wisely!
  • Test your approach on a small sample before applying to all events.
  • Consult Splunk documentation for detailed API usage: <invalid URL removed>

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...