Removing Kaspersky CyberTrace objects (Splunk)

This section describes how to remove objects related to Kaspersky CyberTrace from Splunk after Kaspersky CyberTrace is uninstalled. Note that after you have removed these objects, events from Kaspersky CyberTrace persist in Splunk.

To remove objects related to Kaspersky CyberTrace after Kaspersky CyberTrace is uninstalled:

1. Delete the following directories:
   1. For single-instance integration scheme: %SPLUNK_HOME%/etc/apps/Kaspersky-CyberTrace-App-for-Splunk.
   2. For Search Head and Heavy Forwarder (distributed integration scheme): %SPLUNK_HOME%/etc/apps/Kaspersky-CyberTrace-App-for-Splunk.
   3. For Universal Forwarder (distributed integration scheme): %SPLUNK_HOME%/etc/apps/Splunk_TA_Kaspersky-CyberTrace-App-for-Splunk-Universal-Forwarder, which contains Kaspersky CyberTrace App for Splunk.

      Here, %SPLUNK_HOME% is the directory to which Splunk is installed.

2. Restart Splunk. You can restart Splunk either by using the Splunk Web or by running the following command:

   %SPLUNK_HOME%/bin/splunk restart

Then you can clear Splunk of events received from Kaspersky CyberTrace.

To clear Splunk of events received from Kaspersky CyberTrace:

1. Run the Search & Reporting app by clicking its button in the Splunk Web.
2. Delete the events from Kaspersky CyberTrace:
   1. In the Search field, type the following command:

      index="main" sourcetype="kl_cybertrace_events" | delete

      Deleting events from the main index can be done only under the user account that has the can_delete role. You can add this role to a user account by selecting Settings > Roles in the Splunk main menu.

   2. Next to the Search field, in the drop-down list for selecting the time interval of events to search, select All time.
   3. Click Search.

   

   Search & reporting app