USAGE OF SPLUNK COMMANDS: DELETE

USAGE OF SPLUNK COMMANDS: DELETE                            

Hi Guys!!!
Today we have come with another interesting command i.e. “delete”. This command can useful for you in many circumstances but you need to be careful while using it.
So, today we will guide you on how you can use the “delete” command.

Usage of delete command:
1) The delete command is used to delete events.
2) The delete command can be accessed only by a user with the “delete_by_keyword” capability.
3) By default, only the “can_delete” role has this “delete_by_keyword” capability. (Keep one thing in mind that no user, not even a user with an admin role has this capability).
4) You have to assign this “can_delete” role to the user or you can create a separate role as well to use the “delete_by_keyword” capability.
5) The data removed by the “delete” command, not even a user with an admin role has permission to view. If you want to get the data back you have to re-index it.

Syntax of delete command:

| delete

Example: 1
Step: 1
Please, see the below query,

index=test_index sourcetype=test subject=Scinece

Explanation:
Here, we have used index “test_index” and sourcetype “test”, where we have the sample data.
Here, we have used a field named “subject”. So, we want to delete the events where the value of the “subject” field is “science”.
As you can see here, we have two events, where the value of the “subject” field is “science” which we want to delete.

You can also know about :  Usage of Splunk commands : REX

Step: 2

index=test_index sourcetype=test subject=Scinece 
|delete

Explanation:
Here, we have used the delete command to delete the events where the value of the “subject” field is “Science”.
But, as you can see, we got an error, “Error in ‘delete’ command: You have insufficient privileges to delete events.
This means the user we have used to log in to this Splunk Account does not have the “can_delete” role assigned to it.
So, in the next steps, we will show you how to give the “can_delete” role to a user.

Step: 3

Explanation:
We have used the “Administrator (admin)” account to login to this Splunk Account, so, we will assign the “can_delete” role to the user “admin”. For that, first, click on “Access controls

Step: 4
Now, click on the “Users” option.

Step: 5
Now, click on the “admin” user to edit.

Step: 6


Explanation:
Now, in the “Assign to roles” option under “Available item(s)” click on the “can_delete” role, it will automatically come under “Selected item(s)” and click on the “save” option.

Step: 7

Explanation:
Now, again we have used the below query,

index=test_index sourcetype=test subject=Scinece 
|delete

As you can see the query ran without any error.

You can also know about :  Usage Of Splunk Commands : MULTIKV

Step: 8

Explanation:
As you can see, now when we have run the below query,

index=test_index sourcetype=test subject=Scinece

It did not return any events, i.e. the events are successfully deleted.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.