Removing Kaspersky CyberTrace objects (Splunk)

This section describes how to remove objects related to Kaspersky CyberTrace from Splunk after Kaspersky CyberTrace is uninstalled. Note that after you have removed these objects, events from Kaspersky CyberTrace persist in Splunk.

After you have uninstalled Kaspersky CyberTrace, delete the %SPLUNKDIR%/etc/apps/Kaspersky-CyberTrace-App-for-Splunk directory, which contains Kaspersky CyberTrace App for Splunk, and restart Splunk. (Here %SPLUNKDIR% is the directory to which Splunk is installed.) You can restart Splunk either by using the GUI or by running the following command:

%SPLUNKDIR%/bin/splunk restart

Then, if you want, you can clear Splunk of events received from Kaspersky CyberTrace.

To clear Splunk of events received from Kaspersky CyberTrace:

1. Run the Search & Reporting app by clicking its button in the Splunk GUI.
2. Delete the events from Kaspersky CyberTrace:
   1. In the Search field, type the following command:

      index="main" sourcetype="kl_cybertrace_events" | delete

      Deleting events from the main index can be done only under the user account that has the can_delete role. You can add this role to a user account by selecting Settings > Roles in the Splunk main menu.

   2. Next to the Search field, in the drop-down list for selecting the time interval of events to search, select All time.
   3. Click Search.

   

   Search & reporting app

Page top