https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442357#M77086 <P>Hello again @dreadangel,</P> <P>It's not possible to combine both collect &amp; delete in the same search. You should use two different searches to achieve this. Step 1 move, step 2 delete.</P> <P>PS: deleting does not really delete the data, more info here : <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Delete">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Delete</A> <BR /> If you want to get rid of the data you should delete the entire index or the relevant buckets. </P> <P>If what you're doing is simply for replacing <CODE>status=low</CODE> by <CODE>status=none</CODE> you can easily do that via props and transforms as shown here <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad</A></P> <P>Cheers,<BR /> David</P> Wed, 08 May 2019 09:24:53 GMT DavidHourani 2019-05-08T09:24:53Z https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442355#M77084 <P>Attempting "move" some logs events to other index and after delete those events from original index:</P> <PRE><CODE>index="server_logs" status=low | eval old_raw=_raw | eval _raw=replace(_raw,"status=low", "status=none") | collect index="old_logs_index" | eval _raw=old_raw | delete </CODE></PRE> <P>The pipe fails to execute - any thoughts if it's possible to combine <STRONG>collect</STRONG> and <STRONG>delete</STRONG> in one pipe ? </P> Wed, 08 May 2019 08:43:59 GMT https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442355#M77084 dreadangel 2019-05-08T08:43:59Z https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442356#M77085 <P>Few things to be test out before<BR /> 1. delete won't delete the data, but just hides from user<BR /> 2. delete key-word requires special capabilities. Not even "admin" role have "delete" capability by default. So you may need to add it separately to your user/role<BR /> 3. Any chance "NOT to" index the <CODE>status=low</CODE> data into the <CODE>server_logs</CODE> at first point? This is pretty easy at index time and can be redirected to another index<BR /> 4. You could produce a macro for old index and give it to users , where the content of macro is <CODE>index=server_logs status!=low</CODE><BR /> 5. Lastly, if its archive data, why you can't do in 2 steps? ie. summary index fields &amp;&amp; then delete . for all new events, do at indextime</P> Wed, 08 May 2019 09:10:47 GMT https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442356#M77085 koshyk 2019-05-08T09:10:47Z https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442357#M77086 <P>Hello again @dreadangel,</P> <P>It's not possible to combine both collect &amp; delete in the same search. You should use two different searches to achieve this. Step 1 move, step 2 delete.</P> <P>PS: deleting does not really delete the data, more info here : <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Delete">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Delete</A> <BR /> If you want to get rid of the data you should delete the entire index or the relevant buckets. </P> <P>If what you're doing is simply for replacing <CODE>status=low</CODE> by <CODE>status=none</CODE> you can easily do that via props and transforms as shown here <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad</A></P> <P>Cheers,<BR /> David</P> Wed, 08 May 2019 09:24:53 GMT https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442357#M77086 DavidHourani 2019-05-08T09:24:53Z https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442358#M77087 <P>Hi,</P> <P>Yeah - I know about <STRONG>delete</STRONG> command that not actually deletes the data. <BR /> Unfortunately all this stuff is needed to "edit" the events from index - just imagine that <CODE>index="server_logs"</CODE>and <CODE>index="old_logs_index"</CODE>` are the same.</P> <P>Anyway thanks for the tip - at last it allowed me not to loose a lot of time investigating.</P> <P>P/S This is not a wantie of me - it's bosses' wantie - </P> Wed, 08 May 2019 09:35:04 GMT https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442358#M77087 dreadangel 2019-05-08T09:35:04Z https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442359#M77088 <P>hahah, yeah the bosses get what they want...and yeah if the data is already there you're sort of stuck. In any case let me know if you have any issues with routing the data when you attempt that for new data, happy to assist you !</P> Wed, 08 May 2019 09:40:29 GMT https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442359#M77088 DavidHourani 2019-05-08T09:40:29Z https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442360#M77089 <P>the issue I'm facing at the moment is how to execute the sequence of those two commands <STRONG>collect</STRONG> and <STRONG>delete</STRONG>, even via UI - any thoughts or suggestions?</P> Wed, 08 May 2019 11:53:56 GMT https://community.splunk.com/t5/Getting-Data-In/Combine-collect-and-delete-commands-in-one-pipe/m-p/442360#M77089 dreadangel 2019-05-08T11:53:56Z