Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I delete a data field from Splunk entirely?

katzr
Path Finder
‎07-25-2017 10:07 AM

I would like to delete a data field entirely from Splunk. Would I use the same way as described below? The data field I would like to delete is called "Ethnic Origin". Is this the correct way to delete it? I have the can_delete permissions.

splunk stop
splunk clean “Ethnic Origin”

Note: I ran the following searches above and that did not delete the data field Ethnic Origin. Can someone suggest a different method to delete it?

I don't want to remove the whole event- just that data field out of the event. I can generate a list of this field with a table- could I use the delete command with a table I have pulled up?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-25-2017 02:21 PM

What you are trying to do is not possible. Once data is indexed, you can hide events using the | delete search command (even that does not physically delete the data off of disk).

The only way to achieve what (I think) you want to do is to delete the index itself, and re-index the data without the fields you do not want to have indexed. If you cannot remove the data from the source, you can mask it using props/transforms and the appropriate RegEx expression, but you would still need to re-index.

Depending on your use case and requirements, the scrub command may be helpful, which works by identifying certain terms/words in your events and replacing them with meaningless values.

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2017 10:55 AM

You can't delete a part of the event (fields for that matter). You can only delete the whole events. Could you describe more about requirement of yours? You may end up setting up data masking for that field which will ensure no future events will have that field and deleting full events for historical data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...