Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why do I get errors for index=__ALL__ when using | delete?

ddrillic
Ultra Champion
‎09-08-2017 04:20 PM

When deleting via index=xxx sourcetype=yyyy | delete I got the following page -

alt text

So, in addition to the proper index xxx report of 0 errors for the various indexers, I also got these lines for the different indexers. Why do they mean?

Tags (2)
Preview file
46 KB
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2017 01:31 PM

Some of the errors numbers look an awful lot like an integer overflow/underflow. I'd say this is probably a bug, something treating an integer as signed in some places, unsigned in others ...

2^64 - 18446744073709539157 = 12459
2^64 - 18446744073709539122 = 12494

Both of these are really near the order of magnitude of other values of 'errors' in the screen shot. Smells plausible.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-10-2017 06:37 PM

Very interesting!!!!!

0 Karma
Reply

lguinn2
Legend
‎09-10-2017 10:41 AM

Wow - I don't know what happened here, but you are deleting a boatload of data. It's possible that you have exceeded the design specs for the delete command.

I suggest that you search the internal log files for more information. Try this search, being sure to set the timerange to just around the time of the delete command:

index=_internal OR index=_audit log_level=error OR log_level=warn

Hopefully that will give you more info...

0 Karma
Reply

ddrillic
Ultra Champion
‎09-10-2017 06:38 PM

Perfect - let me try....

0 Karma
Reply

ddrillic
Ultra Champion
‎09-10-2017 06:39 PM

And the index=__ALL__ - what's that?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...