Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Delete events from a query with a command that is 'not distributable streaming'

bhooker_axcient
Engager
‎08-12-2021 04:45 PM
We have a Splunk instance that keeps copies of Jira tickets which have changed over time.  Anytime there is a change to a ticket, we journal most of the JSON object into Splunk as an event.  Our index is getting large, and I think that it is affecting performance (nearly 1,000,000 events and 1 GB).  For each ticket id, I want to delete all but 1 event that is older than 6 months (keep the youngest event that is > 6 mon old).  
 
index=jira latest=-6mon | dedup key
(Gets the list of keys with events that can be deleted)
 
For each key, delete all but one of the events > 6mon (e.g. KEY-75)
 
index=jira latest=-6mon key = "KEY-75" | streamstats count as result | where result > 1 | delete 
Spoiler
Error in 'delete' command: This command cannot be invoked after the command 'simpleresultcombiner', which is not distributable streaming.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
index=jira latest=-6mon key = "KEY-75" | sort - _time | streamstats count as result | where result > 1 | delete
Spoiler
Error in 'delete' command: This command cannot be invoked after the command 'sort', which is not distributable streaming.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2021 05:51 AM

The delete command will not recover disk space or make your index any smaller.  It merely prevents events from appearing in search results.  Also, deleting events does not improve search performance.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...