1. Generate a list of entities you want to delete, only table the entity_key field. here I provide a example to delete retired entities. | inputlookup itsi_entities | eval identical_alias = _itsi_identifier_lookups | mvexpand "identical_alias" | eval entity_key=_key | where retired=1 | dedup entity_key | table entity_key | outputcsv entities_to_be_deleted.csv if you have SHC environment, go to help --> about to check which search head node you are on. 2. ssh to that search head node 3. vi /opt/splunk/delete_entities.sh 4. paste following bash script #! /bin/bash #title :delete_entity.sh #description :This script will delete entities showing in entities_to_be_deleted.csv. Note, this operation is not reversible". #author :WL #============================================================================== start_time=`date +%s.%N` # copy csv file from default location of outputcsv command to local directory cp /opt/splunk/var/run/splunk/csv/entities_to_be_deleted.csv /opt/splunk counter = 0 while IFS="," read -r entity_key do echo "removing entity $entity_key" counter=`expr $counter + 1` # remove csv column headers and " quotation marks while loading file done < <(sed 's/"//g' entities_to_be_deleted.csv | tail -n +2) # in curl command suppose to use API token for better security, for now you can swap with your credential in -u username:password format curl -k -u username:password https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/entity/$entity_key -X DELETE; end_time=`date +%s.%N` runtime=$( echo "$end_time - $start_time" | bc -l ) # added a reporting at the end echo "script finished in $runtime seconds, $counter entities have been deleted" Swap username:password with your credentials execute this script will delete the entities in the csv file, this way is faster than above method, because it does not need to re-authenticate every time.
... View more
