Removing data from Splunk is possible by using the delete command. We first create the search condition to fetch the events we want to mark for delete. Once the search condition is acceptable, we add the delete clause at the end of the command to remove those events from Splunk. After deletion, not even a user with admin privilege is able to view this data in Splunk.
Removal of data is irreversible. If you still want the removed data back into Splunk then you should have the original source data copy with you which can be used to re-index the data in Splunk. It will be a process similar to creating a new index.
Any user including admin user does not have access to delete the data by default. By default, only the "can_delete" role has the ability to delete events. So, we create a new user, assign this role and then login with the credentials of this new user to perform the delete operation. The below image shows how we create a new user with “can_delete” role. We arrive at this screen by following the path Settings → Access Controls → Users → New User.
We then log out of Splunk interface and login back with this newly created user.
First, we need to identify the list of events we want to remove. It is done using a normal search query specifying the filter condition. In the below example, we choose to look for the events from the host web_application which has the field http status value as 505. Our goal is to delete only the set of data containing these values to be removed from the search result. The below image shows this set of data selected.
Next, we use the delete command to remove the above selected data from the result set. It involves just adding the word delete after ‘|’ at the end of the search query as shown below −
After running the search query above, we can see the next screen where those events have got deleted.
You can also further run the search query to verify that these events are not returned in the result set.