Solved: Combine collect and delete commands in one pipe

dreadangel · ‎05-08-2019

Attempting "move" some logs events to other index and after delete those events from original index:

index="server_logs" status=low 
| eval old_raw=_raw 
| eval _raw=replace(_raw,"status=low", "status=none")
| collect index="old_logs_index" 
| eval _raw=old_raw 
| delete

The pipe fails to execute - any thoughts if it's possible to combine collect and delete in one pipe ?

DavidHourani · ‎05-08-2019

Hello again @dreadangel,

It's not possible to combine both collect & delete in the same search. You should use two different searches to achieve this. Step 1 move, step 2 delete.

PS: deleting does not really delete the data, more info here : https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Delete
If you want to get rid of the data you should delete the entire index or the relevant buckets.

If what you're doing is simply for replacing status=low by status=none you can easily do that via props and transforms as shown here https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad

Cheers,
David

View solution in original post

DavidHourani · ‎05-08-2019

Hello again @dreadangel,

It's not possible to combine both collect & delete in the same search. You should use two different searches to achieve this. Step 1 move, step 2 delete.

PS: deleting does not really delete the data, more info here : https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Delete
If you want to get rid of the data you should delete the entire index or the relevant buckets.

If what you're doing is simply for replacing status=low by status=none you can easily do that via props and transforms as shown here https://docs.splunk.com/Documentation/Splunk/7.2.6/Forwarding/Routeandfilterdatad

Cheers,
David

dreadangel · ‎05-08-2019

Hi,

Yeah - I know about delete command that not actually deletes the data.
Unfortunately all this stuff is needed to "edit" the events from index - just imagine that index="server_logs"and index="old_logs_index"` are the same.

Anyway thanks for the tip - at last it allowed me not to loose a lot of time investigating.

P/S This is not a wantie of me - it's bosses' wantie -

DavidHourani · ‎05-08-2019

hahah, yeah the bosses get what they want...and yeah if the data is already there you're sort of stuck. In any case let me know if you have any issues with routing the data when you attempt that for new data, happy to assist you !

dreadangel · ‎05-08-2019

the issue I'm facing at the moment is how to execute the sequence of those two commands collect and delete, even via UI - any thoughts or suggestions?

koshyk · ‎05-08-2019

Few things to be test out before
1. delete won't delete the data, but just hides from user
2. delete key-word requires special capabilities. Not even "admin" role have "delete" capability by default. So you may need to add it separately to your user/role
3. Any chance "NOT to" index the status=low data into the server_logs at first point? This is pretty easy at index time and can be redirected to another index
4. You could produce a macro for old index and give it to users , where the content of macro is index=server_logs status!=low
5. Lastly, if its archive data, why you can't do in 2 steps? ie. summary index fields && then delete . for all new events, do at indextime

Combine collect and delete commands in one pipe

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)