Splunk Search

deleted data - | delete - a query to prove this command has not been used and no data has been deleted?

r999
Path Finder

How can i tell if any data has been deleted using the | delete command?

how can i prove no data has been deleted?

Can i see if there are any flags against the data on the idnexers?

Does this command hide the data at Search Head leel or at the Indexer?

Edit: To clarify - i understand this command does not actually delete the data. i want to know if any admin user has given themself the can_delete privelege and deleted(hidden) data using |delete.

Tags (2)
1 Solution

jonuwz
Influencer

This search will show you if anyone has run the delete command :

index=_audit sourcetype=audittrail action=search search=*delete* 
| where match(search,"\|\s*delete")
| table search user

As for working out if someone has the capability, you need to look in each copy of authorize.conf to see what roles have the can_delete capability

If you have the SoS application installed, you can run this search within the app :

| btool authorize | extract | where delete_by_keyword="enabled" | table stanza

to get a list of roles with the can_delete capability.

Then you need to look in etc/passwd to see what users have these roles.
If you're going to do it properly, you'll need to factor in role heirarchies.

You might also consider signing the audit events so people cannot tamper with the results.

View solution in original post

jonuwz
Influencer

This search will show you if anyone has run the delete command :

index=_audit sourcetype=audittrail action=search search=*delete* 
| where match(search,"\|\s*delete")
| table search user

As for working out if someone has the capability, you need to look in each copy of authorize.conf to see what roles have the can_delete capability

If you have the SoS application installed, you can run this search within the app :

| btool authorize | extract | where delete_by_keyword="enabled" | table stanza

to get a list of roles with the can_delete capability.

Then you need to look in etc/passwd to see what users have these roles.
If you're going to do it properly, you'll need to factor in role heirarchies.

You might also consider signing the audit events so people cannot tamper with the results.

DaveSavage
Builder

I suspect the answer you seek is already covered in the knowledge base. Ses http://splunk-base.splunk.com/answers/30132/how-to-really-delete-not-hide-data-from-splunk for example.
You may need to differentiate in understanding between deleted (index content which does mean not available) and no longer in your system.
Good luck.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...