Getting Data In

How to use a delete command in splunk...?

prakash007
Builder

I cannot delete the events in splunk, i did append this search with delete command..I'm looking to delete the events which have "checkout/infuse.jspmethod=KRA&servervi=" this words....i do have can_delete and delete_by_keyword role to my access...

index=* sourcetype=webserver_logs source="/opt/ihs/access/*/log/access*log" 
"*checkout/infuse.jspmethod=KRA&servervi=*" | delete
Tags (2)
0 Karma

woodcock
Esteemed Legend

If the job is timing out it is because you have a huge number of events being returned. When you run the search, click on the "jobs" menu and select "Send job to background" and give it an email address to send you an email when it is done. This will keep the job from timing out.

0 Karma

jward6004
Explorer

How would I setup a scheduled search to check if the delete command was run in my environment?

0 Karma

jkat54
SplunkTrust
SplunkTrust

This is a different question. Click on the gear button on the upper right corner of your comment, and select "convert to question" in order to convert your answer to a question.

The solution is very simple and I'll be happy to help you once you convert this to your own question.

0 Karma

kbrown_splunk
Splunk Employee
Splunk Employee

First your search command is fine.

Setting can_delete will allow you to delete. (Make sure you remove can_delete when you are done.)

Anything is possible with permissions but it is likely good if you are indexing data into the index

We do not have write/read permissions in our roles, splunkd writes, you read, unless you set can_delete. The roles can restrict the index you are allowed to use but you said your search returns events so you are good there.

Are your indexers clustered?

See this section in the link below: "The delete operation and indexer clusters"
http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/RemovedatafromSplunk

As already mentioned, check splunkd.log for errors

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is/are the index(Es) you're deleting from owned by the splunkd user account? Check the filesystem permissions on the indexes to verify if so.

Also check the search.log by running your delete search and then click on inspect job, then click on search.log. Look in that log for errors, warnings, etc

0 Karma

prakash007
Builder

I don't think delete would delete events from indexers, it only make events non searchable by users. correct me if i'm wrong

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

when i run the query it's just sitting there for a while and says the search job is expired. It's happening even when i run the search for 1hr or 1day.

0 Karma

jkat54
SplunkTrust
SplunkTrust

It needs write permission to write a deleted flag; no?

0 Karma

prakash007
Builder

I do have can_delete and delete_by_keyword access in my role.

0 Karma

pradeepkumarg
Influencer

Without the delete, do you get the results back for your search?

0 Karma

prakash007
Builder

yes i do get the results without delete.

0 Karma

woodcock
Esteemed Legend

Make sure that you (one of the roles of which you are a member) has the delete permission.

cpetterborg
SplunkTrust
SplunkTrust

Are you getting any error messages?

0 Karma

prakash007
Builder

nope, i'm not getting any error message, even i tried deleting a single event without asterisks, it doesn't work.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...