0

Query is on Splunk DB data delete:

My requirement:

I do a query to splunk, based on time stamp, "from date" & "to date".

After I got the list of all events results between the timestamp, I want to delete these list of events from the Splunk database.

Each queried results data will be stored in the destination database, hence I want to delete each queried results data from querying Splunk DB, so that my next query will not end up in giving repetitive results, also I want to free up the storage space in source Splunk DB.

Hence I want a effective solution on how to delete completely the Queried result data, from querying Splunk DB?

Thanks & Regards, Dharmendra Setty

DharmendraSetty
  • 1
  • 1

1 Answers1

0

I'm not sure you can actually delete them to free up storage space. As written here, what you can do is simply mask the results from ever showing up again in the next searches.

To do this, simply pipe the "delete" command to your search query.

BE CAREFUL: First make sure these really are the events you want to delete

Example:

index=<index-name> sourcetype=<sourcetype-name> source=<source-name> 
earliest="%m/%d/%Y:%H:%M:%S" latest="%m/%d/%Y:%H:%M:%S" | delete

Where 

index=<index-name> sourcetype=<sourcetype-name> source=<source-name> 
earliest="%m/%d/%Y:%H:%M:%S" latest="%m/%d/%Y:%H:%M:%S"

is the search query

Zionsof
  • 1,196
  • 11
  • 23