Splunk Enterprise

Ramifications of deleting Splunk Search Artifacts in Dispatch

ochoa165
Explorer

Good Afternoon Everyone,

 

I am an ISSO who just inherited a Splunk environment. I have been leaning heavily on this community and i have received lots of great feed back in regards to different documents.  My latest problem is that my dispatch directory is nearing capacity and only has 3 out of 5 GB left so therefore i can't conduct any new searches or get dashboards everything is at a standstill.

 

I am aware i can use a command to clear artifacts from the dispatch directory and I am aware there are ways to allocate more space or re-direct the dispatch directory...but what I am truly worried about is am I going to lose information by clearing the dispatch directory of artifacts? 

 

I am concerned about losing security related data or auditable events. is there any one who can break down what exactly a search artifact in Splunk contains? and is it something I need to have on hand for security purposes down the road? I feel if i can show my colleagues what a search artifact is and perhaps why we dont need to worry about deleting it (OR WORRY ) than i can proceed forward... I don't exactly have my organization telling me I need to keep the artifacts but that doesn't mean i shouldn't err on the side of caution.  ANY HELP is greatly appreciated. 

More Info:

 

All we care about is auditing the devices connected to Splunk by way of queries and dashboards. as long as that data is not compromised we are good.

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The dispatch directory contains information about outstanding searches as well the results from completed searches.  Completed searches should be cleaned up automatically after 10 minutes (default setting), but can be as long as 7 days if the results are shared by the user who ran the search.

Deleting files from the dispatch directory has no affect on your data - that's always safe in your indexes.  A deleted artifact could cause a dashboard to fail, however, if it tries to use the results of a saved search that are no longer there.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...