Splunk 简明教程
Splunk - Removing Data
使用 delete 命令可以删除 Splunk 中的数据。我们首先创建搜索条件以获取我们要标记为要删除的事件。一旦搜索条件可以接受,我们就在命令的末尾添加删除子句以将这些事件从 Splunk 中删除。删除后,即使是具有管理员权限的用户也无法在 Splunk 中查看此数据。
Removing data from Splunk is possible by using the delete command. We first create the search condition to fetch the events we want to mark for delete. Once the search condition is acceptable, we add the delete clause at the end of the command to remove those events from Splunk. After deletion, not even a user with admin privilege is able to view this data in Splunk.
删除数据是不可逆的。如果您仍然希望将已删除的数据返回 Splunk,则您应该拥有原始数据副本,可用于在 Splunk 中重新索引数据。它将与创建新索引的过程相似。
Removal of data is irreversible. If you still want the removed data back into Splunk then you should have the original source data copy with you which can be used to re-index the data in Splunk. It will be a process similar to creating a new index.
Assigning Delete Privilege
默认情况下,任何用户(包括管理员用户)都无权删除数据。默认情况下,只有 "can_delete" 角色才有删除事件的能力。因此,我们创建一个新用户,分配此角色,然后使用此新用户的凭据登录以执行删除操作。下图显示了我们如何创建具有“can_delete”角色的新用户。我们通过 Settings → Access Controls → Users → New User 路径到达此屏幕。
Any user including admin user does not have access to delete the data by default. By default, only the "can_delete" role has the ability to delete events. So, we create a new user, assign this role and then login with the credentials of this new user to perform the delete operation. The below image shows how we create a new user with “can_delete” role. We arrive at this screen by following the path Settings → Access Controls → Users → New User.
然后,我们退出 Splunk 界面,然后使用此新创建的用户重新登录。
We then log out of Splunk interface and login back with this newly created user.
Identifying the data to be removed
首先,我们需要识别我们想要删除的事件列表。这是使用指定筛选条件的普通搜索查询完成的。在下面的示例中,我们选择查看具有字段 http 状态值 505 的主机 web_application 的事件。我们的目标是仅删除包含这些值以从搜索结果中删除的数据集。下图显示了选定的数据集。
First, we need to identify the list of events we want to remove. It is done using a normal search query specifying the filter condition. In the below example, we choose to look for the events from the host web_application which has the field http status value as 505. Our goal is to delete only the set of data containing these values to be removed from the search result. The below image shows this set of data selected.
Deleting the Selected Data
接下来,我们使用删除命令从结果集中删除上述选定的数据。它只需在搜索查询的末尾添加单词 delete,如下所示:
Next, we use the delete command to remove the above selected data from the result set. It involves just adding the word delete after ‘|’ at the end of the search query as shown below −
运行上述搜索查询后,我们可以看到删除了这些事件的下一个屏幕。
After running the search query above, we can see the next screen where those events have got deleted.
您还可以进一步运行搜索查询以验证这些事件未返回到结果集中。
You can also further run the search query to verify that these events are not returned in the result set.