Splunk Search

Delete logs

anil1432
Explorer

Hi All,

How can I delete my logs permanently

 

Request to delete old Splunk logs for EMS and Truvue webservices that are older than 05/17/2021.
* Long Description
Request to delete old Splunk logs for EMS (App id: 2926) and Truvue webservices (App id: 637) that are older than 05/17/2021 as required by Experian GSO as these
logs contained plain text Pll data.
As part of an Insider Threat audit currently being performed the following Splunk index was flagged as containing clear text Pll data originating from a production
host.
eits_ec_prod_us
Items in Index: Name/Address/DOB/SSN
Host names:
mckecpap043v
mckecpap044
I
alnecsap456V
alnecsap455v
Source = /logs/TRUVUEWS_V6/TRUVUEWS_V6-std.log

Labels (1)
0 Karma
1 Solution

eichfuss
Path Finder

Hey @anil1432 
you can filter your logs in the search (i.e. index=xyz host=xyz) and set the time selection (i.e. Date Range - Between - 17/05/2021 00:00:00 and 17/05/2021 24:00:00) and then type the "| delete" command, then the filtered events will me deleted (marked as deleted). The Data / events are still on the Storage / in the Index.

View solution in original post

0 Karma

danielcj
Communicator

Hi,
You have to create a search that returns only the results that should be deleted (correct search terms and correct time range). After that, you should add the "delete" command.
Example:

<your_search> | delete


The data is not removed from the index, but it will not be returned on future searches. To use the command you need to run the search with an user with a role with capability "delete_by_keyword"

 

0 Karma

anil1432
Explorer

So I need to delete only events from my from my logs. i.e from 17/05/2021 to delete events . How can I ? 

 

0 Karma

eichfuss
Path Finder

Hey @anil1432 
you can filter your logs in the search (i.e. index=xyz host=xyz) and set the time selection (i.e. Date Range - Between - 17/05/2021 00:00:00 and 17/05/2021 24:00:00) and then type the "| delete" command, then the filtered events will me deleted (marked as deleted). The Data / events are still on the Storage / in the Index.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...