![]() ![]() By default, Splunk Enterprise ships with a special role, "can_delete" that has this capability (and no others). The delete command can only be run by a user with the "delete_by_keyword" capability. The delete command only deletes the events from subsequent searches. If you try to use delete during a real-time search, Splunk Enterprise will display an error. You cannot run the delete command for a real-time search. The delete command is available only with events indexes. ![]() The Splunk search language provides the delete command to delete event data from subsequent searches. If you want to get your data back once you've removed data using any of the techniques described in this topic, you must re-index the applicable data sources. Remove older data, based on a retirement policy. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |