topic Re: How to quickly remove indexes data from an indexer cluster in Splunk Dev

How to quickly remove indexes data from an indexer cluster

xsstest — Tue, 06 Jun 2017 08:30:41 GMT

I have an indexer cluster with 8 indexers and a master node.

Now, I need to remove an index data, the index name is "tomcat"

How to quickly remove index data from an indexer cluster? distribute bundle?

only one by one delete indexs data from each indexer?？

Re: How to quickly remove indexes data from an indexer cluster

dineshraj9 — Tue, 06 Jun 2017 08:39:28 GMT

You can use the | delete command to make the data inaccessible to the users. This won't free up space on the indexers though.

http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Delete

For this you need a user with can_delete role(if you already don't have then create a temporary user and assign this role) and then run the query to return all data and delete. index=tomcat earliest=0 | delete and delete the data.

To permanently remove event data from a single index, type:
$SPLUNK_HOME/bin/splunk clean eventdata -index <index_name>

Details are provided here - http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/RemovedatafromSplunk

For freeing up space, remove any monitors sending data to this index, remove index configuration from indexes.conf, push bundle and delete the index directory from the indexers $SPLUNK_HOME/var/lib/splunk/tomcat.

Re: How to quickly remove indexes data from an indexer cluster

xsstest — Wed, 07 Jun 2017 13:36:05 GMT

The delete command does not apply to indexer clusters

Re: How to quickly remove indexes data from an indexer cluster

xsstest — Wed, 07 Jun 2017 13:37:15 GMT

And I want to free up disk space

Re: How to quickly remove indexes data from an indexer cluster

DalJeanis — Wed, 07 Jun 2017 14:26:30 GMT

Seems like you could set that index to have a different retention schedule so the data would roll to cold and frozen quickly... assuming that it was being indexed into separate buckets, which would depend on configuration and whether you had originally set it up with any differences that would make the system think it ought to keep that index data separate.

Otherwise, you might be stuck with re-indexing everything in order to de-aggregate the lump of underlying data.

Re: How to quickly remove indexes data from an indexer cluster

adonio — Wed, 07 Jun 2017 14:33:19 GMT

I believe @DalJeanis comment is a valid answer (not a comment), make sure there is no frozen path.
hard limit either the size for something like 10gb or the time for lets say last hour then distribute to indexers in the cluster.
all the data will roll very quickly out. all done.
another way is -> put cluster in maintenance mode -> stop indexers -> remove data with clean eventdata -index tomcat start all indexers -> disable maintenance mode.
if you will do it one indexer at a time, you will not suffer down time
hope it helps

Re: How to quickly remove indexes data from an indexer cluster

neltonk — Wed, 01 Aug 2018 00:03:55 GMT

New to splunk please help...

I have a splunk cluster - 1 Master(also the license master), 3 node indexer cluster, 1 search head. I want to delete data in a specifi index

Could you please verify if the following steps are correct to delete event data?

On the Master Node : put cluster in maintenance mode
stop indexers - splunk stop on each indexer
remove data using the command splunk clean eventdate -index xyz - where do I run this command - on each indexer node ?
start indexers - splunk start on each indexer
On Master Node : disable Maintenance node