Remove Host from Splunk Searches Data Summary

Rich Mahlerwein writes on a Splunk comment:
Carefully craft a search that returns those rows and ONLY those rows. There’s isn’t enough information here to know precisely what it is that search will look like.

You could start by doing something like a * | stats count by sourcetype to find out what sourcetype the ones you want to get rid of are, since I think this is your determining factor (remove all of that older sourcetype).

Once you’ve determined the sourcetype (or anything unique) of the data you want to remove, craft yourself a search that displays just those events. Perhaps

  1. index=* sourcetype=Y

Make double sure this works right. It should include ALL the rows you want to have removed, but include NO rows that you want to keep. This is the search we’ll use to actually do the delete with.

Then follow the steps in the documentation on removing data from indexes using YOUR search to prevent those results from showing up again. To recap “how to delete data” from the docs, it’s basically
1) Add “delete” capabilities to a role (preferably use a special user)
2) Log in as that role
3) Use that search we made above, double-check that it returns the right data and only that data.
4) Then run that search | delete
5) Watch the output, it’ll tell you how many events got deleted.

Then log OUT as that special user (and I’d suggest disabling it, but you can do what you want), log back in as your usual user and check that you only have the right data in there now.

This is all thanks to:
Rich Mahlerwein
http://www.sideviewapps.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.