Installation

'delete' operator and licensing

tgiles
Path Finder

Hi, all.

Is anyone familiar with how using the 'delete' operator in splunk affect licensing?

On our network, we have a number of 'yappy' devices that send in logs that are just not needed in any way, shape, or form.

I'm curious how splunk licensing handle me performing deletes on the unneeded data that I get in from them- would the indexed data be counted anyway, or would splunk count it as 'no longer there, so not charging for it'

I'd really like to wrap up the 'unusable' data into a couple of searches and schedule them to purge overnight to keep splunk focused on data that I really do want information on.

I'd love to hear any insights, opinions, or pointers to available documentation, if there is any.

Cheers,

Tags (2)
0 Karma

tgiles
Path Finder

Correct, the scheduled searches would be to handle (remove) the unwanted events.

0 Karma

southeringtonp
Motivator

What is the purpose of the scheduled searches you mention? Is it solely to remove the unwanted events, or are you wanting to do some processing on those events (summary indexing, alerting, etc.) before they are removed?

0 Karma

Genti
Splunk Employee
Splunk Employee

Thats not the right way to go about.
First, no, using the | delete command does not clean your license up.
To begin with, for the events to show up in your searches it means that they have already been indexed, and hence already counted towards your license.

If there are events that you do not wish, then you have a few options:
- Make your data inputs a bit more refined
- Use whitelist and blacklists for your inputs.
- Route specific events to nullqueue if needed.

Instructions for all of the above are easily found on splunk.com documentation page. links:
http://www.splunk.com/base/Documentation/4.1.5/admin/Whitelistorblacklistspecificincomingdata
http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Filter_event_data_and_send_t...

So, to conclude it all, the idea here is to NOT index any data that you do not want! (and not index it and then delete it...)

Hope this helped,
.gz

gkanapathy
Splunk Employee
Splunk Employee

Note also that using | delete does not free up disk space in the index, and that using it this way (regularly) will thus result in worse search performance over time than if the data had not been indexed in the first place.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...