It may be necessary to remove events from the ClickHouse event database to lighten some query results or because of some events wrongly parsed and inserted, which will need to be reinserted.

Warning: The following steps should be used with caution, as they alter data in the online storage.

1. Identify the events and make sure the filter is correct.

Find a keyword that is common to the events that need to be deleted.

The following command shows an example of 5 events for the filter. Replace KEYWORD and the time window as appropriate. 

Run the following from the super CLI as the root user:

clickhouse-client -q "SELECT * FROM fsiem.events_replicated WHERE phRecvTime BETWEEN '2024-07-04' AND '2024-07-05' AND rawEventMsg ILIKE '%KEYWORD%' LIMIT 5 FORMAT Vertical"

2. Run the DELETE command.

Once the 5 events have matched with the events to delete, reuse the same filter but with a delete operation:

clickhouse-client -q "DELETE FROM fsiem.events_replicated WHERE phRecvTime BETWEEN '2024-07-04' AND '2024-07-05' AND rawEventMsg ILIKE '%KEYWORD%'"

Commands may take a considerable time to run, depending on the number of events involved in the query. They may even reach timeout, but this does not mean that the command was not executed.

Be aware that these steps use a Lightweight Delete command, so disk space will not be released right away.