delete
Contents
delete
Synopsis
Performs a deletion from the index.
Syntax
delete
Description
Piping a search to the delete operator marks all the events returned by that search so that future searches do not return them. No user (even with admin permissions) will be able to see this data using Splunk. Currently, piping to delete does not reclaim disk space.
Note: Splunk does not let you run the delete operator during a real-time search; you cannot delete events as they come in. If you try to use delete during a real-time search, Splunk will display an error.
The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events. Once you've confirmed that this is the data you want to delete, pipe that search to delete. Read more about how to remove indexed data from Splunk in the Managing Indexers and Clusters manual.
Note: The delete operator will trigger a roll of hot buckets to warm in the affected index(es).
Examples
Example 1: Delete events from the "insecure" index that contain strings that look like Social Security numbers.
index=insecure | regex _raw = "\d{3}-\d{2}-\d{4}" | deleteExample 2: Delete events from the "imap" index that contain the word "invalid"
index=imap invalid | deleteAnswers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delete command.
This documentation applies to the following versions of Splunk: 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.