Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I have a saved search scheduled to write to a summary index. How do I clear the summary index each time before the saved search is run again?

teekayx
Path Finder
‎06-28-2016 10:02 PM

I have a saved search cron-scheduled to run every hour. This will write to a summary index each time. I want to clear the summary index each time before the saved search is run again.

I tried to cron-schedule another saved search just for this -- index=summary | delete -- 1 min before the above search runs. However, delete happens a lot quicker and I have a 1 min window now which fetches no result from the summary index.

Can I add -- append [ index=summary | delete ] -- to the first saved search to achieve this in one go?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

teekayx
Path Finder
‎07-18-2016 10:15 AM

I did this and this works. I was a bit scared to test it out then as I was a rookie then. I am closer to being a ninja now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

TheWoodRanger
Explorer
‎07-20-2016 04:29 AM

,The "delete" command just makes the events unsearchable, it doesn't remove them from the Summary Index. If space is an issue, be wary of this as the size of the index will still include all of the events deleted using | delete

"Using the delete command marks all of the events returned by the search as deleted. Subsequent searches do not return the marked events. No user, not even a user with admin permissions, is able to view this data after deletion. The delete command does not reclaim disk space."

0 Karma
Reply
Solved! Jump to solution

teekayx
Path Finder
‎10-13-2016 06:49 AM

Thanks. I find it strange though to have a 'delete' command that does not delete! (kind of anti-semantic) and to not even have a way to recover such soft-deleted content. What's the point of having such an inflexible delete command!

0 Karma
Reply
Solved! Jump to solution
Solution

teekayx
Path Finder
‎07-18-2016 10:15 AM

I did this and this works. I was a bit scared to test it out then as I was a rookie then. I am closer to being a ninja now.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...