product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
Remove (hide) any event from search results using the delete command
- release date
- 2018-06-18
- last updated
- 2023-12-05
- version
- Splunk Enterprise 9.0.4
- Overview
- How to remove (hide) any event from search results using the delete command
- Reference information
- content
-
You can delete (hide) any event from search results using the delete command. By granting the can_delete role to a specific user, that user will be able to execute the delete command.
[procedure]
- Select any user from Settings > Access Control > User.
- Select can_delete from "Available roles" for the user selected in step 1, and save.
- Log in to Splunk Web as the user selected in step 1 and display the search screen.
- Execute a search statement that yields the search results you want to hide. Make sure it's okay to hide the displayed results.
* Events that match the search conditions will no longer be displayed in the search results.
(Example) sourcetype="syslog" abcdef - Add the delete command to the search statement in step 4 and execute the search. (Example) sourcetype="syslog" abcdef | delete
[Notes]
- The above example is an example of deleting (hiding) events with the string abcdef in sourcetype=“syslog” from the search results.
- The method of using the delete command is to flag the corresponding event for deletion. However, events marked for deletion cannot be searched by any authority.
- Events deleted by the delete command are not deleted as data, so it is not recommended to use them to free up disk space.
- Events deleted by the delete command cannot be returned to search targets. In order to return it to the search target, you need to import the data again.
- The user performing the deletion task must be granted the role "can_delete" to delete events.
- To execute the delete command, in addition to the "delete_by_keyword" privilege, you will also need the "deleteIndexesAllowed" privilege to specify the indexes on which the delete command can be executed.
- Even if you add the "delete_by_keyword" permission without selecting can_delete in the role assignment, the message below will be displayed on the search screen when executing the delete command and the event will not be deleted.
You do not have the capability to delete from index=<index name>
If the above message is displayed on the search screen, you can execute the delete command without setting "deleteIndexesAllowed" by selecting "can_delete" for role assignment as in [Step] 1.2 above. It becomes.
*If you want to set the permission for "deleteIndexesAllowed", you will need to directly edit the configuration file "authorize.conf" and restart the Splunk service.
See reference information for the delete command and role of can_delete.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
