There is a special operator delete in Splunk you can use to pre-scrub events from your Splunk searches. What it does is “flag” events so that your future searches do not return them. Even though a user (even a user with admin permissions) will be able to “see” this data when searching, using delete does not free-up disk space since the data is not actually removed from indexes; it is just invisible to searches.
You can use various operators within a Splunk search pipelines but the delete operator is a very special operator that can only be run by a user granted with the “delete_by_keyword” capability.
You’ll find that when you install Splunk, the Admin user does not have this capability. To grant this capability you can use Splunk Web. You go to Settings than Access controls (under Users and authentication):
From the Access controls page, you select Roles:
On the Roles page you can then click on the user role that you want to edit:
Splunk will then display the properties for your selected user role. Under the Capabilities section, you can click on the delete_by_keyword capability (and then click on the Save button):
Now, once you have added this capability, you can add the delete operator to a search pipeline to delete all events or particular events from a source (index). For example remove (flag) all events in the “awesomeindex”:
source=awesomeindex | delete
or just the events matching the criteria in the search pipeline in the source file named:
source=”c:\\logging\\sales.cma” May 2015 421500 “current Forecast” “83100″ | Delete
As I’ve mentioned, this only flags events and you do not reclaim disk space. To delete indexed data permanently from your disk, you need to use the CLI (command line interface) and the clean command.