topic Re: Remove the index distributed setup in Getting Data In

Remove the index distributed setup

ws — Mon, 05 May 2025 04:01:06 GMT

Hi,

After setting up a test index and ingesting a test record, I’m now planning to remove the index from the distributed setup.

Could anyone confirm the correct procedure for removing an index in a distributed environment with 3 indexers and a management node?

I normally run the following command at an all in one setup.

/opt/splunk/bin/splunk clean eventdata -index index_name

Re: Remove the index distributed setup

PickleRick — Mon, 05 May 2025 06:35:57 GMT

What exactly do you want to do?

The command you provided will "empty" the index without touching its definition. Also, I haven't tried this in a cluster (I assume that's what you mean by 3 indexers and "a management node") but I'd expect the cluster to start fixups as soon as you do the operation on the first node unless you enable maintenance mode.

Anyway, if you want to leave the index definition but only remove the indexed events, that's one of the possibilities. Another one is to set very short retention period and let Splunk roll the buckets normally.

If you want to remove the index along with its definition, you have to remove it from indexes.conf on the CM, push the config bundle (this will trigger rolling restart of indexers) and then manually remove index directories from each indexer.

Re: Remove the index distributed setup

gcusello — Mon, 05 May 2025 06:48:08 GMT

Hi @ws ,

the best approach is:

remove every input that sends logs to this index,
in Cluster Manager, put the retention (frozenTimePeriodInSecs) of this index to zero and push the configuration to Indexers,
after some minute, check that there isn't any log in the index, then remove the index from the Cluster Manager and push again the configuration.

Ciao.

Giuseppe

Re: Remove the index distributed setup

livehybrid — Mon, 05 May 2025 14:22:07 GMT

Hi @ws

The clean command does not work on clustered indexes - See https://docs.splunk.com/Documentation/Splunk/latest/Indexer/RemovedatafromSplunk#How_to_delete:~:text=Note%3A-,The,-clean%20command%20does

As the others have said, you could reduce the retention to basically nothing so that the data ages out, before then removing the indexes.conf stanza for the index and deploying out to your indexers. However note that this will not remove the old directory structure on the indexers for this index, if you want to completely remove it you will need to delete the folder structure on each node as per the docs "Once you've applied the indexes.conf changes and the peer nodes have restarted, remove the index's directories from each peer node."

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing