<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: methods for removing specific data  performance in Monitoring Splunk</title>
    <link>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93455#M1118</link>
    <description>&lt;P&gt;what happens to data with a sourcetype of my_sourcetype that doesn't match the regex? does it go to the main index?&lt;/P&gt;</description>
    <pubDate>Mon, 21 Jan 2013 13:51:29 GMT</pubDate>
    <dc:creator>brettcave</dc:creator>
    <dc:date>2013-01-21T13:51:29Z</dc:date>
    <item>
      <title>methods for removing specific data  performance</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93452#M1115</link>
      <description>&lt;P&gt;hi, i've been reading over the threads on the topic, and most splunkers are looking at removing some data for space-saving purposes, but I haven't come across any responses addressing performance.&lt;/P&gt;

&lt;P&gt;our splunk data has a few different data types - analytics data, backup reports, internal testing logs and some others. while we want to keep analytics data for indefinite periods, I am finding that the reports are becoming very sluggish, and was wondering what approach would be best to strip out specific data. Would the ' | delete ' command prevent the events from being scanned during reporting and improve performance? Or is there another mechanism that would work better for this?&lt;/P&gt;

&lt;P&gt;The sort of approach I am looking for, as an example, would be to remove / archive / purge:&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;backup logs older than 14 days&lt;/LI&gt;
&lt;LI&gt;analytics / web access logs flagged as internal users or from certain IP addresses ("internal" based on a field extractor, IP based on inputlookup )&lt;/LI&gt;
&lt;LI&gt;application logs matching certain search terms older than 30 days&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 21 Jan 2013 12:23:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93452#M1115</guid>
      <dc:creator>brettcave</dc:creator>
      <dc:date>2013-01-21T12:23:08Z</dc:date>
    </item>
    <item>
      <title>Re: methods for removing specific data  performance</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93453#M1116</link>
      <description>&lt;P&gt;busy reading up on creating multiple indexes &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes&lt;/A&gt; it offers what i am looking for.&lt;/P&gt;</description>
      <pubDate>Mon, 21 Jan 2013 12:28:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93453#M1116</guid>
      <dc:creator>brettcave</dc:creator>
      <dc:date>2013-01-21T12:28:17Z</dc:date>
    </item>
    <item>
      <title>Re: methods for removing specific data  performance</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93454#M1117</link>
      <description>&lt;P&gt;I am following the example to try redirect a sourcetype to an alternative index. The sourcetype definition uses an extract. After adding the transforms to props.conf, I don't see the transformation in the web manager. This is what I have:&lt;/P&gt;

&lt;P&gt;props.conf:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[my_sourcetype]
EXTRACT-backuplog = STATUS: \[Name: (?P&amp;lt;JobName&amp;gt;[^,]+), Result: (?P&amp;lt;JobResult&amp;gt;[^;]+);
TRANSFORMS-index = IndexRedirect
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[IndexRedirect]
REGEX = STATUS: \[Job:
DEST_KEY = _MetaData:Index
FORMAT = backup_index
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;How would I configure an extractor and a transform for a sourcetype?&lt;/P&gt;</description>
      <pubDate>Mon, 21 Jan 2013 12:57:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93454#M1117</guid>
      <dc:creator>brettcave</dc:creator>
      <dc:date>2013-01-21T12:57:14Z</dc:date>
    </item>
    <item>
      <title>Re: methods for removing specific data  performance</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93455#M1118</link>
      <description>&lt;P&gt;what happens to data with a sourcetype of my_sourcetype that doesn't match the regex? does it go to the main index?&lt;/P&gt;</description>
      <pubDate>Mon, 21 Jan 2013 13:51:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/methods-for-removing-specific-data-performance/m-p/93455#M1118</guid>
      <dc:creator>brettcave</dc:creator>
      <dc:date>2013-01-21T13:51:29Z</dc:date>
    </item>
  </channel>
</rss>

