Skip to content

Deleting Behavioral Indicator Searches/Anomaly Scoring Rules:

Developing effective behavioral models both an ongoing process and one with many moving parts on the Splunk backend. As such, during the iteration of your models there will undoubtedly be times in which you require to remove content from the Splunk instance. To achieve this there are two delete pages, one for Behavioral Indicator Searches and one for Anomaly Scoring Rules.

Delete Behavioral Indicators:

To delete a behavioral indicator search, click Behavioral Indicators under Deploy on the navigation bar and select Delete Behavioral Indicators. From here, to remove a previously created behavioral indicator from the application, select the delete action in the dispayed table. This will remove:

  • The scheduled saved search associated with the behavioral indicator
  • Metadata for the behavioral indicator from indicator_metadata KV store

This will NOT remove previously generated behavioral indicator values from the defined indicator_index or any of the displayed anomaly scoring rules which rely on the behavioral indicator search as a dependency.

Delete Anomaly Scoring Rules:

To delete an anomaly scoring rule, click Anomaly Scoring Rules under Deploy on the navigation bar and select Delete Anomaly Scoring Rule. From here, to remove a previously created anomaly scoring rule from the application, select the delete action in the dispayed table. This will remove:

  • The scheduled saved search associated with the anomaly scoring rule
  • Metadata for the behavioral indicator from scoring_search_metadata KV store
  • if applicable, any searches, collections.conf and transforms.conf stanzas associated with the baseline used by the search

This will NOT remove previously generated scored anomaly events from the defined scoring_index or any of the displayed behavioral indicator searches which contribute to the anomaly scoring rule.