Is anyone familiar with how using the 'delete' operator in splunk affect licensing?
On our network, we have a number of 'yappy' devices that send in logs that are just not needed in any way, shape, or form.
I'm curious how splunk licensing handle me performing deletes on the unneeded data that I get in from them- would the indexed data be counted anyway, or would splunk count it as 'no longer there, so not charging for it'
I'd really like to wrap up the 'unusable' data into a couple of searches and schedule them to purge overnight to keep splunk focused on data that I really do want information on.
I'd love to hear any insights, opinions, or pointers to available documentation, if there is any.
Thats not the right way to go about.
First, no, using the | delete command does not clean your license up.
To begin with, for the events to show up in your searches it means that they have already been indexed, and hence already counted towards your license.
If there are events that you do not wish, then you have a few options:
- Make your data inputs a bit more refined
- Use whitelist and blacklists for your inputs.
- Route specific events to nullqueue if needed.
Instructions for all of the above are easily found on splunk.com documentation page.
So, to conclude it all, the idea here is to NOT index any data that you do not want! (and not index it and then delete it...)
Hope this helped,
Note also that using
| delete does not free up disk space in the index, and that using it this way (regularly) will thus result in worse search performance over time than if the data had not been indexed in the first place.
What is the purpose of the scheduled searches you mention? Is it solely to remove the unwanted events, or are you wanting to do some processing on those events (summary indexing, alerting, etc.) before they are removed?