Redact Events API

Security Requirements and Controls

Falcon LogScale has support for redacting individual events from the compressed segment files.

The redactEvents() API is intended to support removal of a small number of events from LogScale, allowing you to eliminate specific events that must be removed. For example:

  • Removing personally identifiable information (e.g., due to a GDPR request)

  • Removing accidentally logged passwords

  • Removing confidential data

Note

Note that the start and end timestamps in a redaction request are used to create a time interval based on the @timestamp of the events. This is comparable to a time interval selection, such as you would carry out in the LogScale UI. See also Parsing Timestamps for more details.

The redaction API does not guarantee that redacting events will recover disk space, and is not intended to support data management or bulk deletion. If you want to bulk delete data, you may want to set Data Retention, or use the GraphQL API to delete the relevant dataspaces or datasources.

The redaction mechanism works by:

  • Initially excluding the events you mark for redaction from future queries by filtering all query results

  • Once LogScale determines that it is safe to do so, it will rewrite the affected segments, excluding the events that were marked for redaction.

As rewriting segments is an expensive operation, we strongly discourage using this API in cases for which appropriate retention settings, or explicit deletions of dataspaces, would suffice.

Note

Field Aliasing is not enabled when using deletion filter queries. Ensure that you are not using aliased fields in the filter query executed through this API. For more information, see Searches with Query Prefixes.

Submitting a Redaction Request

The redactEvents() GraphQL mutation can be used to submit deletions.

This is an example redacting all events with a password field in the specified time interval in milliseconds.

Show:
graphql
mutation {
  redactEvents(
    input: {
      repositoryName: "sandbox",
      start: "2024-11-12T03:00:00.000Z",
      end: "2024-11-12T03:15:00.000Z",
      query: "password=*",
      userMessage: "Hiding Passwords"
    }
  )
}
Example Responses
Show:
json
{
  "data": {
    "redactEvents": "N8M03lslv8UxWSlCzNmyASN1"
  }
}

The mutation will return the ID of the submitted redaction task:

json
{
   "data" : {
      "redactEvents" : "e4G6TWjXVxbNyF5hDLrvBJAV"
   }
}

Viewing Existing Requests

The redactEvents() GraphQL query will return the list of redaction tasks that have not yet completed segment rewrites.

Show:
graphql
query {
  redactEvents(repositoryName:"humio")
  {id, created, start, end, query}
}

Returns:

json
{
   "data" : {
      "redactEvents" : "e4G6TWjXVxbNyF5hDLrvBJAV"
   }
}

It is possible to cancel submitted redactions via the cancelRedactEvents() mutation.

Cancellation is best-effort, and if events have already been redacted from segments, they will not be restored.

Field Aliasing is not enabled when using a deletion filter query, meaning that aliased fields won't be available for queries executed through this API. Ensure that you are not using aliased fields in the filter query used with the API. For more information, see Searches with Query Prefixes.