Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Closing Notable Events - Set Close Datetime

gbam
Explorer
‎01-24-2024 08:47 AM

I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports.  Is there a way to use an eval query (or similar) or would it be best to use the API to close them?  Or am I SOL and I need to filter from the dashboard / report query level?

Labels (1)
Labels
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:23 AM

Hi there,

Eval Query for Limited Use:

While eval queries can modify certain fields, unfortunately, deleting or closing notable events directly isn't possible with them.

API Offers More Power:

The Splunk Search API is your best bet for bulk actions like closing or deleting events. You can leverage the delete or set endpoints to achieve your goal.

Filtering Still an Option:

If using the API feels daunting, consider refining your dashboard/report queries to exclude events before the specific date. Filtering might be less efficient for massive datasets, but it's a reliable route.

Remember:

  • Deleting is permanent, closing retains some data. Choose wisely!
  • Test your approach on a small sample before applying to all events.
  • Consult Splunk documentation for detailed API usage: <invalid URL removed>

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...