Removing Kaspersky CyberTrace objects (Splunk)
October 1, 2024
ID 175519
This section describes how to remove objects related to Kaspersky CyberTrace from Splunk after Kaspersky CyberTrace is uninstalled. Note that after you have removed these objects, events from Kaspersky CyberTrace persist in Splunk.
To remove objects related to Kaspersky CyberTrace after Kaspersky CyberTrace is uninstalled:
- Delete the following directories:
- For single-instance integration scheme:
%SPLUNK_HOME%/etc/apps/Kaspersky-CyberTrace-App-for-Splunk
. - For Search Head and Heavy Forwarder (distributed integration scheme):
%SPLUNK_HOME%/etc/apps/Kaspersky-CyberTrace-App-for-Splunk
. - For Universal Forwarder (distributed integration scheme):
%SPLUNK_HOME%/etc/apps/Splunk_TA_Kaspersky-CyberTrace-App-for-Splunk-Universal-Forwarder
, which contains Kaspersky CyberTrace App for Splunk.Here,
%SPLUNK_HOME%
is the directory to which Splunk is installed.
- For single-instance integration scheme:
- Restart Splunk. You can restart Splunk either by using the Splunk Web or by running the following command:
%SPLUNK_HOME%/bin/splunk restart
Then you can clear Splunk of events received from Kaspersky CyberTrace.
To clear Splunk of events received from Kaspersky CyberTrace:
- Run the Search & Reporting app by clicking its button in the Splunk Web.
- Delete the events from Kaspersky CyberTrace:
- In the Search field, type the following command:
index="main" sourcetype="kl_cybertrace_events" | delete
Deleting events from the
main
index can be done only under the user account that has thecan_delete
role. You can add this role to a user account by selecting Settings > Roles in the Splunk main menu. - Next to the Search field, in the drop-down list for selecting the time interval of events to search, select All time.
- Click Search.
Search & reporting app
- In the Search field, type the following command: