Installation

'delete' operator and licensing

tgiles
Path Finder

Hi, all.

Is anyone familiar with how using the 'delete' operator in splunk affect licensing?

On our network, we have a number of 'yappy' devices that send in logs that are just not needed in any way, shape, or form.

I'm curious how splunk licensing handle me performing deletes on the unneeded data that I get in from them- would the indexed data be counted anyway, or would splunk count it as 'no longer there, so not charging for it'

I'd really like to wrap up the 'unusable' data into a couple of searches and schedule them to purge overnight to keep splunk focused on data that I really do want information on.

I'd love to hear any insights, opinions, or pointers to available documentation, if there is any.

Cheers,

Tags (2)
0 Karma

tgiles
Path Finder

Correct, the scheduled searches would be to handle (remove) the unwanted events.

0 Karma

southeringtonp
Motivator

What is the purpose of the scheduled searches you mention? Is it solely to remove the unwanted events, or are you wanting to do some processing on those events (summary indexing, alerting, etc.) before they are removed?

0 Karma

Genti
Splunk Employee
Splunk Employee

Thats not the right way to go about.
First, no, using the | delete command does not clean your license up.
To begin with, for the events to show up in your searches it means that they have already been indexed, and hence already counted towards your license.

If there are events that you do not wish, then you have a few options:
- Make your data inputs a bit more refined
- Use whitelist and blacklists for your inputs.
- Route specific events to nullqueue if needed.

Instructions for all of the above are easily found on splunk.com documentation page. links:
http://www.splunk.com/base/Documentation/4.1.5/admin/Whitelistorblacklistspecificincomingdata
http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Filter_event_data_and_send_t...

So, to conclude it all, the idea here is to NOT index any data that you do not want! (and not index it and then delete it...)

Hope this helped,
.gz

gkanapathy
Splunk Employee
Splunk Employee

Note also that using | delete does not free up disk space in the index, and that using it this way (regularly) will thus result in worse search performance over time than if the data had not been indexed in the first place.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...