×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
samian
Engager
Member since: ‎08-12-2015
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎08-12-2015
Activity Feed
View All

Re: Is it possible to fix a scripted input once it...

by in Getting Data In
‎10-25-2017 01:52 PM
1 Karma
‎10-25-2017 01:52 PM
1 Karma
It is technically possible to do what you are asking: create a service account that has permissions to run Splunk queries that use the delete command, which does not delete data from the underlying storage but does prevent the events from being returned in searches. Here's some documentation on this: https://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/RemovedatafromSplunk And then it is possible to feed Splunk new events with the same timestamps as the prior events but with revised data. However, this is a terrible idea. Allowing a service account to delete data at will is asking for trouble. Even though you can, you definitely should not. By far, your best bet is to go with your final suggestion - to log all the events/data and use SPL to find the correct data. This means you should give some good thought now, while you are architecting your script and processes, to how you will correlate revised logs and clearly identify them. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to