How can i delete event logs from specific log sources?

Hello Vusal,

The way to delete the event logs from EP/Console would be to set the Retention Buckets where you will provide Log Sources as the filter.

Once this configuration is done, perform a full deploy and then monitor if the events are deleted after the specified time period for the particular log source.

This is the correct approach to delete event logs.

If there are any issues with Retention Bucket, you may open a support case for further investigation.

Thanks!

Ashish Kothekar

Hi Ashish Kothekar .

Thanks for answer. I checked with retention bucket but no result.  I think that may be with aql can delete.

Hello Vusal,

There may be something which is not configured correctly for the retention bucket that would need to be checked.

AQL is for querying the Ariel Database. It does NOT have a function to delete ariel data ( events ).

https://www.ibm.com/docs/en/SS42VS_7.3.3/com.ibm.qradar.doc/b_qradar_aql.pdf

Thanks!

Ashish Kothekar

The only method to delete data in QRadar is to use a Retention Bucket. When the date on the event data is older than the retention period, there is a Disk Sentry process that removes data from the appliance at the top of the hour. You cannot use AQL to remove data from QRadar.

If you have a retention bucket created and you do not believe the data is being removed as expected, then you should open a case.