Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

delete

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

delete

Synopsis

Performs a deletion from the index.

Syntax

delete

Description

Piping a search to the delete operator marks all the events returned by that search so that they are never returned by any future search. No user (even with admin permissions) will be able to see this data using Splunk.

The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.

To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events. Once you've confirmed that this is the data you want to delete, pipe that search to delete.

Note: The delete operator will trigger a roll of hot buckets to warm in the affected index(es)

Examples

Example 1: Delete events from the "insecure" index that contain strings that look like Social Security numbers.

index=insecure | regex _raw = "\d{3}-\d{2}-\d{4}" | deleteSearch

Example 2: Delete events from the "imap" index that contain the word "invalid"

index=imap invalid | deleteSearch
Retrieved from "http://www.splunk.com/base/Documentation/4.0.10/SearchReference/Delete"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.