event_start=1
event_stop=500
search_parms = {'date_from': '1/10/2016:05:00', 'start': event_start, 'stop': event_stop, 'timeout': 60, 'date_to': '02/22/2017:23:39', 'mask_prvs': 0, 'maxresults': 100000},
SEARCH "mid=*" OR "icid=*" starttime::03/08/2017:00:00:00 endtime::03/15/2017:23:49:59maxtime::-1 maxevents::150000 GET events::101-600 OUTPUT splunkui::2.1
So, the Splunk response is for the above query search.
a. How to delete these results from Splunk DB which are indexed?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Below is the code snippet, which uses "api_data" & does a "rpc" call. Can we tweek the below code snippet for deleting the Queried data from the Splunk DB?
cancel_id_token = '%s' % (cancel_id,)
search_token = '<query>%s</query>' % (query,)
user_token = '<user>livesplunkuser</user>'
api_data = '<call name="executeQuery"> \
<params>' + \
self.auth_token + \
query_id_token + \
search_token + \
cancel_id_token + \
user_token + \
'</params> \
</call>'
if self.debug:
P('api_data=%s'%(api_data,))
try:
self.server.request("POST", "/rpc", api_data)
result = self.server.getresponse().read()
return result
except Exception, e:
try:
# The self.server might be used by other request, so try to use a new connection.
server = get_proxy_server(self.url, self.port)
server.request("POST", "/rpc", api_data)
result = server.getresponse().read()
server.close()
except Exception, e:
raise SplunkException('Could not connect to server to perform search (%s): %s'%(self.server, str(e),))
return result
NOTE:
1. My another query, is there any option in api_data "call name" for deleting the query results from Splunk DB completely?
2. The above code snippet is from Email Security Appliance, which uses Splunk DB.
Thanks & Regards,
Dharmendra Setty
You can make individual events unsearchable using the delete
command, (see here http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Delete) or you can delete all the events in an index using the splunk clean
(see here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/CLIadmincommands)
Hi,
Basically Iam looking for connecting to Splunk from Email Security Appliance, then DELETE the
queried data between Time Time-1 & Time-2 from Splunk DB completely.
Thanks & Regards,
Dharmendra Setty