USAGE OF SPLUNK COMMANDS: DELETE
Hi Guys!!!
Today we have come with another interesting command i.e. “delete”. This command can useful for you in many circumstances but you need to be careful while using it.
So, today we will guide you on how you can use the “delete” command.
Usage of delete command:
1) The delete command is used to delete events.
2) The delete command can be accessed only by a user with the “delete_by_keyword” capability.
3) By default, only the “can_delete” role has this “delete_by_keyword” capability. (Keep one thing in mind that no user, not even a user with an admin role has this capability).
4) You have to assign this “can_delete” role to the user or you can create a separate role as well to use the “delete_by_keyword” capability.
5) The data removed by the “delete” command, not even a user with an admin role has permission to view. If you want to get the data back you have to re-index it.
Syntax of delete command:
| delete
Example: 1
Step: 1
Please, see the below query,
index=test_index sourcetype=test subject=Scinece
Explanation:
Here, we have used index “test_index” and sourcetype “test”, where we have the sample data.
Here, we have used a field named “subject”. So, we want to delete the events where the value of the “subject” field is “science”.
As you can see here, we have two events, where the value of the “subject” field is “science” which we want to delete.
Step: 2
index=test_index sourcetype=test subject=Scinece |delete
Explanation:
Here, we have used the delete command to delete the events where the value of the “subject” field is “Science”.
But, as you can see, we got an error, “Error in ‘delete’ command: You have insufficient privileges to delete events.”
This means the user we have used to log in to this Splunk Account does not have the “can_delete” role assigned to it.
So, in the next steps, we will show you how to give the “can_delete” role to a user.
Step: 3
Explanation:
We have used the “Administrator (admin)” account to login to this Splunk Account, so, we will assign the “can_delete” role to the user “admin”. For that, first, click on “Access controls”
Step: 4
Now, click on the “Users” option.
Step: 5
Now, click on the “admin” user to edit.
Step: 6
Explanation:
Now, in the “Assign to roles” option under “Available item(s)” click on the “can_delete” role, it will automatically come under “Selected item(s)” and click on the “save” option.
Step: 7
Explanation:
Now, again we have used the below query,
index=test_index sourcetype=test subject=Scinece |delete
As you can see the query ran without any error.
Step: 8
Explanation:
As you can see, now when we have run the below query,
index=test_index sourcetype=test subject=Scinece
It did not return any events, i.e. the events are successfully deleted.
