Splunk Search

Delete events from a query with a command that is 'not distributable streaming'

bhooker_axcient
Engager
We have a Splunk instance that keeps copies of Jira tickets which have changed over time.  Anytime there is a change to a ticket, we journal most of the JSON object into Splunk as an event.  Our index is getting large, and I think that it is affecting performance (nearly 1,000,000 events and 1 GB).  For each ticket id, I want to delete all but 1 event that is older than 6 months (keep the youngest event that is > 6 mon old).  
 
index=jira latest=-6mon | dedup key
(Gets the list of keys with events that can be deleted)
 
For each key, delete all but one of the events > 6mon (e.g. KEY-75)
 
index=jira latest=-6mon key = "KEY-75" | streamstats count as result | where result > 1 | delete 
Spoiler
Error in 'delete' command: This command cannot be invoked after the command 'simpleresultcombiner', which is not distributable streaming.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
index=jira latest=-6mon key = "KEY-75" | sort - _time | streamstats count as result | where result > 1 | delete
Spoiler
Error in 'delete' command: This command cannot be invoked after the command 'sort', which is not distributable streaming.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The delete command will not recover disk space or make your index any smaller.  It merely prevents events from appearing in search results.  Also, deleting events does not improve search performance.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...