https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140870#M28850 <P>If those cases really are rare you can use the <CODE>delete</CODE> command to selectively mark events as deleted. That won't clear up space, and isn't recommended for frequent use.</P> Mon, 14 Jul 2014 09:18:36 GMT martin_mueller 2014-07-14T09:18:36Z https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140869#M28849 <P>Our generated logs need to be verified for correctness. After verification, they are sent to splunk. </P> <P>Problem is the verification happens some hours after the logs are generated. This means they are sent to splunk hours after they are created (ie logs appear delayed, not in real time).</P> <P>In 99.9999% of all cases, logs are verified ok which means this delay not needed.</P> <P>Is there a way around this? My naive idea is to have splunk pick up the unverified logs immediately, and then (hours later) when they are verified confirm them in splunk or delete/mark/evict invalid logs from the index.</P> <P>Is this possible or can I use some other approach?</P> <P>/Thanks!</P> Mon, 14 Jul 2014 09:08:28 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140869#M28849 wickman 2014-07-14T09:08:28Z https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140870#M28850 <P>If those cases really are rare you can use the <CODE>delete</CODE> command to selectively mark events as deleted. That won't clear up space, and isn't recommended for frequent use.</P> Mon, 14 Jul 2014 09:18:36 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140870#M28850 martin_mueller 2014-07-14T09:18:36Z https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140871#M28851 <P>Is it possible to script the <CODE>delete</CODE> command remotely? I'm thinking the verifier could do that automatically when it detects an invalid log?</P> Mon, 14 Jul 2014 09:21:03 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140871#M28851 wickman 2014-07-14T09:21:03Z https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140872#M28852 <P>Sure, you can start any search job remotely via the REST API or one of the SDKs available at <A href="http://dev.splunk.com/">http://dev.splunk.com/</A></P> Thu, 17 Jul 2014 10:28:05 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-events-to-avoid-delayed-logging/m-p/140872#M28852 martin_mueller 2014-07-17T10:28:05Z