Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

delete

Synopsis

Performs a deletion from the index.

Syntax

delete

Description

Piping a search to the delete operator marks all the events returned by that search so that future searches do not return them. No user (even with admin permissions) will be able to see this data using Splunk. Currently, piping to delete does not reclaim disk space.

Note: Splunk does not let you run the delete operator during a real-time search; you cannot delete events as they come in. If you try to use delete during a real-time search, Splunk will display an error.

The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.

To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events. Once you've confirmed that this is the data you want to delete, pipe that search to delete. Read more about how to remove indexed data from Splunk in the Admin manual.

Note: The delete operator will trigger a roll of hot buckets to warm in the affected index(es).

Examples

Example 1: Delete events from the "insecure" index that contain strings that look like Social Security numbers.

index=insecure | regex _raw = "\d{3}-\d{2}-\d{4}" | delete

Example 2: Delete events from the "imap" index that contain the word "invalid"

index=imap invalid | delete

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the delete command.

PREVIOUS
dedup
  NEXT
delta

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters