Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I get errors for index=__ALL__ when using | delete?

ddrillic
Ultra Champion
‎09-08-2017 04:20 PM

When deleting via index=xxx sourcetype=yyyy | delete I got the following page -

alt text

So, in addition to the proper index xxx report of 0 errors for the various indexers, I also got these lines for the different indexers. Why do they mean?

Tags (2)
error-while-deleting-3.jpg
Preview file
46 KB
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2017 01:31 PM

Some of the errors numbers look an awful lot like an integer overflow/underflow. I'd say this is probably a bug, something treating an integer as signed in some places, unsigned in others ...

2^64 - 18446744073709539157 = 12459
2^64 - 18446744073709539122 = 12494

Both of these are really near the order of magnitude of other values of 'errors' in the screen shot. Smells plausible.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-10-2017 06:37 PM

Very interesting!!!!!

0 Karma
Reply

lguinn2
Legend
‎09-10-2017 10:41 AM

Wow - I don't know what happened here, but you are deleting a boatload of data. It's possible that you have exceeded the design specs for the delete command.

I suggest that you search the internal log files for more information. Try this search, being sure to set the timerange to just around the time of the delete command:

index=_internal OR index=_audit log_level=error OR log_level=warn

Hopefully that will give you more info...

0 Karma
Reply

ddrillic
Ultra Champion
‎09-10-2017 06:38 PM

Perfect - let me try....

0 Karma
Reply

ddrillic
Ultra Champion
‎09-10-2017 06:39 PM

And the index=__ALL__ - what's that?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top