Can someone as Splunk explain the purpose of "delete" command, if it doesn't actually delete data from an index, but makes it un-searchable. As I understand it, "delete" operation is irreversible, the deleted data continues to consume disk space, and there is no way to free that up? Doesn't make sense to me. Am I not understanding it?

It's very useful in some cases. For instance, we had an issue where logrotate was rotating syslogs and Splunk was indexing them (fixed with a blacklist entry). Users were getting totally confused by the "extra" hostnames, which were actually filenames from the rotated files -- and the log messaegs were duplicated as well. So we ran a search, piped to delete, everyone is happy.

At the same time, I don't ever have to explain (or defend) to our internal audit folks how and why we can actually delete data. No matter if we delete it or not, it's still there in the rawdata files and still can be found if needed. I think it's a good compromise of being able to remove extraneous/distracting search results, and being able to say that the data is permanent.

Hi @jtashiro,

Have you checked out the accepted answer at this link? It may be a good place to start.

However, if you are not satisfied with that explanation, I would suggest posting a new question about this topic since this post is from over 3 years ago and may not get the visibility you would like in order to help you.

I've read the accepted answer, and it doesn't satisfy my question. The question is best answered by Splunk technical team, with insight into why 'delete' was built to hide/mask data, but not actually 'delete' it and free up space. The 'delete' command is inaccurately and poorly named.

Adding to that, metadata will be still be available. That can't be removed with delete..