Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

delete report data from the summary index

LearningGuy
Builder
‎10-26-2023 05:31 PM


index=summary  report=group_ip
How do I delete report data from summary index?
For example: The report is generated and placed in summary index hourly.
How do I delete the report data of Hour 1 and hour 2 from the summary index?    
Thank you for your help

Hour 1
Empty - because the query is incorrect resulting an empty data, I corrected the query

Hour 2
The query is partially correct, resulting partial data, I corrected the query

companyip
companyA 
companyB 
companyC 


Hour 3
The query is correct

companyip
companyA1.1.1.1
companyB1.1.1.2
companyC1.1.1.3
Labels (1)
Labels
0 Karma
Reply

LearningGuy
Builder
‎10-27-2023 06:41 AM


1) I found out how to filter events based on _time and put a delete command. Please let me know if this is a correct approach

index=summary report=report=group_ip 
| eval epoch1 = _time | search epoch1="[number]"
| delete


2)   The command above didn't work because I don't have permission to delete.
       I went to "[Settings > Users > your_user]",  I was unable to find "Users"

Please suggest. Thanks 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-28-2023 12:19 AM

Question is why do you want to delete the events in the first place.

As a general rule, events in Splunk are not deletable. Yes, there is a delete command but it doesn't remove the events from the buckets it just marks them as unsearcheable.

But.

If you need to capture just a transient state which needs to be updated often and you don't care about previous states either search for particular instance of your results (for example by creating a summary with  a counter and incrementing said counter in subsequent generations of your summaries) or use a lookup instead of a summary index.

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-27-2023 11:16 PM

Hi @LearningGuy,

the approach is correct, but only you can know if the search before the delete command is correct.

about the Users menu, probably you're working on a Search Head Cluster, so normal users cannot modify users roles, contact an admin to make this action .

Only one additiona information that I forgor in my first answer: the delete command runs a logical deletion, not a physical deletion, in other words, it marks the events as "deleted" and you don't see them more but they remain in the buckets until the bucket is discarded.

Ciao.

Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-26-2023 11:47 PM

Hi @LearningGuy,

did you tried the delete command (obviously enabling the can_delete role)?

Use this command with very much attention and ta the rend disable the can_delete role from your account!

You should create a search to identify the events to delete and then add the delete command at the end.

Ciao.

Giuseppe

Reply

LearningGuy
Builder
‎10-27-2023 05:47 AM

Hi @gcusello,

I have not tried delete command
 
1) Could you please explain what you meant by this command you said previously and provide an example? 
"ta the rend disable the can_delete role"

2) How do create a search to identify the event? 
I tried to filter the event generated on a specific hour  based on "_time" field, but it didn't give me result. 

3) How do I know if I have can_delete role?   How do I enable it?

Thank you so much for your help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-27-2023 06:28 AM

hi @LearningGuy,

1)

sorry there was a mistyping !

I wanted to say that the can_delete role isn't usually enabled on production systems, so you have to enable it for your user and disable after deleting, dor leave it associated to your role!

2)

you generated many events  with your scheduled search: someone to dlete and someother to maintain (I suppose).

so, be sure (testing your search) that the results of your search will be only the events to delete then you can run the delete command after your search.

can_delete is a stadard Splunk role, that you should be able to associate to your user in [Settings > Users > your_user].

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...