delete
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
delete
Synopsis
Performs a deletion from the index.
Syntax
delete
Description
Piping a search to the delete operator marks all the events returned by that search so that they are never returned by any future search. No user (even with admin permissions) will be able to see this data using Splunk.
The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events. Once you've confirmed that this is the data you want to delete, pipe that search to delete.
Note: The delete operator will trigger a roll of hot buckets to warm in the affected index(es)
Examples
Example 1: Delete events from the "insecure" index that contain strings that look like Social Security numbers.
index=insecure | regex _raw = "\d{3}-\d{2}-\d{4}" | deleteExample 2: Delete events from the "imap" index that contain the word "invalid"
index=imap invalid | deleteThis documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.