Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Closing Notable Events - Set Close Datetime

gbam
Explorer
‎01-24-2024 08:47 AM

I'm looking to close out (or delete) all notable events that were created prior to a specific date time.  The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports.  Is there a way to use an eval query (or similar) or would it be best to use the API to close them?  Or am I SOL and I need to filter from the dashboard / report query level?

Labels (1)
Labels
0 Karma
Reply

datadevops
Path Finder
‎01-28-2024 02:23 AM

Hi there,

Eval Query for Limited Use:

While eval queries can modify certain fields, unfortunately, deleting or closing notable events directly isn't possible with them.

API Offers More Power:

The Splunk Search API is your best bet for bulk actions like closing or deleting events. You can leverage the delete or set endpoints to achieve your goal.

Filtering Still an Option:

If using the API feels daunting, consider refining your dashboard/report queries to exclude events before the specific date. Filtering might be less efficient for massive datasets, but it's a reliable route.

Remember:

  • Deleting is permanent, closing retains some data. Choose wisely!
  • Test your approach on a small sample before applying to all events.
  • Consult Splunk documentation for detailed API usage: <invalid URL removed>

~ If the reply helps, a Karma upvote would be appreciated

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top