Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

delete

Description

Using the delete command marks all of the events returned by the search as deleted. Subsequent searches do not return the marked events. No user, not even a user with admin permissions, is able to view this data after deletion. The delete command does not reclaim disk space.

Removing data is irreversible. If you want to get your data back after the data is deleted, you must re-index the applicable data sources.

You cannot run the delete command in a real-time search to delete events as they arrive.

Syntax

delete

Usage

The delete command can be accessed only by a user with the "delete_by_keyword" capability. By default, only the "can_delete" role has the ability to delete events. No other role, including the admin role, has this ability. You should create a special userid that you log on with when you intend to delete indexed data.

To use the delete command, run a search that returns the events you want deleted. Make sure that the search returns ONLY the events that you want to delete, and no other events. After you confirm that the results contain the data that you want to delete, pipe the search to the delete command.

The delete operator triggers a roll of hot buckets to warm in the affected indexes.

The output of the delete command is a table of the quantity of events removed by the fields splunk_server (the name of the indexer or search head), and index, as well as a rollup record for each server by index "__ALL__". The quantity of deleted events is in the deleted field. An errors field is also emitted, which will normally be 0.

Note: The delete command does not work if your events contain a field named index aside from the default index field that is applied to all events. If your events do contain an additional index field, you can use eval before invoking delete, as in this example:

index=fbus_summary latest=1417356000 earliest=1417273200 | eval index = "fbus_summary" | delete

Permanently removing data from an index

The delete command does not remove the data from your disk space. You must use the clean command from the CLI to permanently remove the data. The clean command removes all of the data in an index. You cannot select the specific data that you want to remove. See Remove indexes and indexed data in Managing Indexers and Clusters of Indexers.

Examples

Delete events with Social Security numbers

Delete the events from the insecure index that contain strings that look like Social Security numbers. Use the regex command to identify events that contain the strings that you want to match.

  1. Run the following search to ensure that you are retrieving the correct data from the insecure index.

    index=insecure | regex _raw = "\d{3}-\d{2}-\d{4}"

  2. If necessary, adjust the search to retrieve the correct data. Then add the delete command to the end of the search to delete the events.

    index=insecure | regex _raw = "\d{3}-\d{2}-\d{4}" | delete

Delete events that contain a specific word

Delete events from the imap index that contain the word invalid.

index=imap invalid | delete

Remove the Search Tutorial events

Remove all of the Splunk Search Tutorial events from your index.

  1. Login as a user with the admin role.
  2. Click Settings, Access controls and create a new user with the can_delete role.
  3. Log out as admin and log back in as the user with the can_delete role.
  4. Set the time range picker to All time.
  5. Run the following search to retrieve all of the Search Tutorial events.

    source=tutorialdata.zip:*

  6. Confirm that the search is retrieving the correct data.
  7. Add the delete command to the end of the search criteria and run the search again.

    source=tutorialdata.zip:* | delete

    The events are removed from the index.
  8. Log out as the user with the can_delete role.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delete command.

PREVIOUS
dedup
  NEXT
delta

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0, 7.2.1


Comments

Good catch, Thebarrryk. I've updated the content. Thanks!

Andrewb splunk
April 2, 2015

Shouldn't "Note: The default command does not work" be "Note: The delete command does not work"

Thebarryk
March 21, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters