Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

'delete' operator and licensing

tgiles
Path Finder
‎10-01-2010 10:38 PM

Hi, all.

Is anyone familiar with how using the 'delete' operator in splunk affect licensing?

On our network, we have a number of 'yappy' devices that send in logs that are just not needed in any way, shape, or form.

I'm curious how splunk licensing handle me performing deletes on the unneeded data that I get in from them- would the indexed data be counted anyway, or would splunk count it as 'no longer there, so not charging for it'

I'd really like to wrap up the 'unusable' data into a couple of searches and schedule them to purge overnight to keep splunk focused on data that I really do want information on.

I'd love to hear any insights, opinions, or pointers to available documentation, if there is any.

Cheers,

Tags (2)
0 Karma
Reply

tgiles
Path Finder
‎10-04-2010 01:55 PM

Correct, the scheduled searches would be to handle (remove) the unwanted events.

0 Karma
Reply

southeringtonp
Motivator
‎10-02-2010 02:23 AM

What is the purpose of the scheduled searches you mention? Is it solely to remove the unwanted events, or are you wanting to do some processing on those events (summary indexing, alerting, etc.) before they are removed?

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-01-2010 10:45 PM

Thats not the right way to go about.
First, no, using the | delete command does not clean your license up.
To begin with, for the events to show up in your searches it means that they have already been indexed, and hence already counted towards your license.

If there are events that you do not wish, then you have a few options:
- Make your data inputs a bit more refined
- Use whitelist and blacklists for your inputs.
- Route specific events to nullqueue if needed.

Instructions for all of the above are easily found on splunk.com documentation page. links:
http://www.splunk.com/base/Documentation/4.1.5/admin/Whitelistorblacklistspecificincomingdata
http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Filter_event_data_and_send_t...

So, to conclude it all, the idea here is to NOT index any data that you do not want! (and not index it and then delete it...)

Hope this helped,
.gz

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-02-2010 12:13 AM

Note also that using | delete does not free up disk space in the index, and that using it this way (regularly) will thus result in worse search performance over time than if the data had not been indexed in the first place.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...