Recently, I needed to delete some events that matched certain summary conditions. For example, where the event count exceeds a certain threshold:
Now, if you try to delete the events by appending | delete, you'll receive an error:
Error in 'delete' command: This command cannot be invoked after the non-streaming command 'stats'
But, I need to delete the events, and I don't give up easily. What to do?
Thanks to the power of subsearches, and the return command, it's quite simple:
index=_internal [search index=_internal | stats count by name | where count > 10000 | return 5 name ] | delete
It is important to note 3 things:
- Be sure you really know what you are doing! I suggest pairing up with a coworker to explain what you are doing as you go. Your coworker might notice a typo that you missed, and often times, just saying something out loud will help to clarify thoughts.
- Run the command without "| delete" at least once, then add it back when you are sure you're ready to delete those events.
- You may need to run the whole query multiple times in order to delete all of the events. The return command takes a parameter (I used 5, because the subsearch returned only 5 events) that returns the top n number of results from the subquery. If you were deleting a large number of events, you might want to delete a few at a time. The default number of events to return is 1.
That's all for today. Happy Splunking!