Splunk Search

Why are the counts inconsistent for metadata under Data Summary after using Delete?

jakewalter
Explorer

After running the delete command to remove some incorrectly indexed data, the data is indeed gone from the index, but the Data Summary window in the Search app will sometimes show a count for the deleted data. This doesn't happen every time, and I can't speak to any differences between syntax when data metadata is fully deleted, versus when the metadata leaves an active count.

Is there something in Splunk that needs to be reset?

Tags (4)
1 Solution

somesoni2
Revered Legend

In the Splunk documentation for deleting data using delete command, it has mentioned that delete command doesn't update the metadata. That's the reason you would see counts in Data summary for deleted events as well. However, those deleted event's metadata will get cleared once they go past their retention period.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/RemovedatafromSplunk
he delete operator does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts, or sourcetypes.

View solution in original post

somesoni2
Revered Legend

In the Splunk documentation for deleting data using delete command, it has mentioned that delete command doesn't update the metadata. That's the reason you would see counts in Data summary for deleted events as well. However, those deleted event's metadata will get cleared once they go past their retention period.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/RemovedatafromSplunk
he delete operator does not update the metadata of the events, so any metadata searches will still include the events although they are not searchable. The main All indexed data dashboard will still show event counts for the deleted sources, hosts, or sourcetypes.

MuS
SplunkTrust
SplunkTrust

Good spotting @somesoni2 😉

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi,

The delete command does not delete nor remove events from the index, they are no longer searchable but still in the index. See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Delete#Description

Cheers, MuS

jakewalter
Explorer

That's all well and good, but to focus on the main point of my question, what causes the metadata displayed in the Data Summary to sometimes be affected after delete (e.g. sourcetypes or hosts are removed completely), but other times partial counts for the "deleted" data remain? I know that this was a bug in older versions of Splunk, but I do not see references to this in the latest.

0 Karma

ckroger
Engager

I third the follow up question. Experiencing the same problem. Once every few days, a deletion will not be reflected in the metadata - even after 24 hours. (Splunk Ent. v6.3.4)

0 Karma

lib_systems
Path Finder

I second jakewalter's follow up question as I'm experiencing this same issue on a recent install of Splunk Enterprise 6.4.0. Was a bug re-introduced?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...