Installation

'delete' operator and licensing

tgiles
Path Finder

Hi, all.

Is anyone familiar with how using the 'delete' operator in splunk affect licensing?

On our network, we have a number of 'yappy' devices that send in logs that are just not needed in any way, shape, or form.

I'm curious how splunk licensing handle me performing deletes on the unneeded data that I get in from them- would the indexed data be counted anyway, or would splunk count it as 'no longer there, so not charging for it'

I'd really like to wrap up the 'unusable' data into a couple of searches and schedule them to purge overnight to keep splunk focused on data that I really do want information on.

I'd love to hear any insights, opinions, or pointers to available documentation, if there is any.

Cheers,

Tags (2)
0 Karma

tgiles
Path Finder

Correct, the scheduled searches would be to handle (remove) the unwanted events.

0 Karma

southeringtonp
Motivator

What is the purpose of the scheduled searches you mention? Is it solely to remove the unwanted events, or are you wanting to do some processing on those events (summary indexing, alerting, etc.) before they are removed?

0 Karma

Genti
Splunk Employee
Splunk Employee

Thats not the right way to go about.
First, no, using the | delete command does not clean your license up.
To begin with, for the events to show up in your searches it means that they have already been indexed, and hence already counted towards your license.

If there are events that you do not wish, then you have a few options:
- Make your data inputs a bit more refined
- Use whitelist and blacklists for your inputs.
- Route specific events to nullqueue if needed.

Instructions for all of the above are easily found on splunk.com documentation page. links:
http://www.splunk.com/base/Documentation/4.1.5/admin/Whitelistorblacklistspecificincomingdata
http://www.splunk.com/base/Documentation/4.1.5/Admin/Routeandfilterdata#Filter_event_data_and_send_t...

So, to conclude it all, the idea here is to NOT index any data that you do not want! (and not index it and then delete it...)

Hope this helped,
.gz

gkanapathy
Splunk Employee
Splunk Employee

Note also that using | delete does not free up disk space in the index, and that using it this way (regularly) will thus result in worse search performance over time than if the data had not been indexed in the first place.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...