You can configure Decoders so that packets and logs can be processed, and then dropped before they are written to disk. This is called a Meta-Only Decoder, which uses the Meta-Only license, and can save storage space (however, analysts cannot reconstruct events in Investigate if you use this option). The configuration option /decoder/config/packet.write.disabled controls this feature. If this option is set to true, all packets are dropped after parsing, so they are never written to the database. This applies to both Log and Network Decoders. The ingested logs and packets flow through the system normally so that parsing and other operations are not impacted. The default setting is false, which preserves the normal behavior of writing packets to disk.
To configure a Meta-Only Decoder where packets and logs are parsed and not written to disk:
- Go to (Admin) > Services and select a Decoder.
- Click > View > Explore, and in the left panel, expand decoder and click config.
- In the right pane, go to packet.write.disabled, and change the value from false to true.
For an example of how to use the Meta-Only license to apply centrally-managed capture policies across your Network Decoders, see (Optional) Configure Selective Network Data Collection