Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to delete Queried results from Splunk DB which are indexed?

dhsetty
Explorer
‎03-19-2017 10:08 PM 
event_start=1
event_stop=500

search_parms = {'date_from': '1/10/2016:05:00', 'start': event_start, 'stop': event_stop, 'timeout': 60, 'date_to': '02/22/2017:23:39', 'mask_prvs': 0, 'maxresults': 100000},

SEARCH "mid=*" OR "icid=*" starttime::03/08/2017:00:00:00 endtime::03/15/2017:23:49:59maxtime::-1 maxevents::150000 GET events::101-600 OUTPUT splunkui::2.1

So, the Splunk response is for the above query search.

a. How to delete these results from Splunk DB which are indexed?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Below is the code snippet, which uses "api_data" & does a "rpc" call. Can we tweek the below code snippet for deleting the Queried data from the Splunk DB?

cancel_id_token = '%s' % (cancel_id,)

    search_token = '<query>%s</query>' % (query,)
    user_token = '<user>livesplunkuser</user>'

    api_data = '<call name="executeQuery"> \
                    <params>' + \
                        self.auth_token + \
                        query_id_token + \
                        search_token + \
                        cancel_id_token + \
                        user_token + \
                   '</params> \
                </call>'

    if self.debug:
        P('api_data=%s'%(api_data,))

    try:
        self.server.request("POST", "/rpc", api_data)
        result = self.server.getresponse().read()
        return result
    except Exception, e:
        try:
            # The self.server might be used by other request, so try to use a new connection.
            server = get_proxy_server(self.url, self.port)
            server.request("POST", "/rpc", api_data)
            result = server.getresponse().read()
            server.close()
        except Exception, e:
            raise SplunkException('Could not connect to server to perform search (%s): %s'%(self.server, str(e),))
    return result

NOTE:
1. My another query, is there any option in api_data "call name" for deleting the query results from Splunk DB completely?
2. The above code snippet is from Email Security Appliance, which uses Splunk DB.

Thanks & Regards,
Dharmendra Setty

0 Karma
Reply

jplumsdaine22
Influencer
‎03-21-2017 06:25 AM

You can make individual events unsearchable using the delete command, (see here http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Delete) or you can delete all the events in an index using the splunk clean (see here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/CLIadmincommands)

0 Karma
Reply

dhsetty
Explorer
‎03-21-2017 07:06 AM

Hi,
Basically Iam looking for connecting to Splunk from Email Security Appliance, then DELETE the
queried data between Time Time-1 & Time-2 from Splunk DB completely.

Thanks & Regards,
Dharmendra Setty

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...