How do I delete a data field from Splunk entirely?

katzr · ‎07-25-2017

I would like to delete a data field entirely from Splunk. Would I use the same way as described below? The data field I would like to delete is called "Ethnic Origin". Is this the correct way to delete it? I have the can_delete permissions.

splunk stop
splunk clean “Ethnic Origin”

Note: I ran the following searches above and that did not delete the data field Ethnic Origin. Can someone suggest a different method to delete it?

I don't want to remove the whole event- just that data field out of the event. I can generate a list of this field with a table- could I use the delete command with a table I have pulled up?

s2_splunk · ‎07-25-2017

What you are trying to do is not possible. Once data is indexed, you can hide events using the | delete search command (even that does not physically delete the data off of disk).

The only way to achieve what (I think) you want to do is to delete the index itself, and re-index the data without the fields you do not want to have indexed. If you cannot remove the data from the source, you can mask it using props/transforms and the appropriate RegEx expression, but you would still need to re-index.

Depending on your use case and requirements, the scrub command may be helpful, which works by identifying certain terms/words in your events and replacing them with meaningless values.

somesoni2 · ‎07-25-2017

You can't delete a part of the event (fields for that matter). You can only delete the whole events. Could you describe more about requirement of yours? You may end up setting up data masking for that field which will ensure no future events will have that field and deleting full events for historical data.

How do I delete a data field from Splunk entirely?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!