How to Delete Splunk Events When Using a Transforming Command

AttachmentSize
Image icon 12-23-2015 2-17-28 PM.png36.45 KB

Categories:

Recently, I needed to delete some events that matched certain summary conditions. For example, where the event count exceeds a certain threshold:

Example showing event search with stats criteria

Now, if you try to delete the events by appending | delete, you'll receive an error:

Error in 'delete' command: This command cannot be invoked after the non-streaming command 'stats'

But, I need to delete the events, and I don't give up easily. What to do?

Thanks to the power of subsearches, and the return command, it's quite simple:

index=_internal
  [search index=_internal
| stats count by name
| where count > 10000
| return 5 name ]
| delete

It is important to note 3 things:

  1. Be sure you really know what you are doing! I suggest pairing up with a coworker to explain what you are doing as you go. Your coworker might notice a typo that you missed, and often times, just saying something out loud will help to clarify thoughts.
  2. Run the command without "| delete" at least once, then add it back when you are sure you're ready to delete those events.
  3. You may need to run the whole query multiple times in order to delete all of the events. The return command takes a parameter (I used 5, because the subsearch returned only 5 events) that returns the top n number of results from the subquery. If you were deleting a large number of events, you might want to delete a few at a time. The default number of events to return is 1.

That's all for today. Happy Splunking!