Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I clear old indexers' bundles?

LovingSplunk
Path Finder
‎03-13-2026 09:34 AM

On my indexers I have many bundles that are very old (some over 1 year old). What is the best way to configure Splunk to have only the recent bundles?

Labels (2)
Tags (1)
0 Karma
Reply

LovingSplunk
Path Finder
‎03-13-2026 12:34 PM

Thank you @isoutamo , the ones I see on the indexers at - /opt/splunk/var/run/searchpeers/*

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-13-2026 01:00 PM

Those are search heads search bundles which have sent to indexers when query has done. Basically each query send it. Those could be full bundle or delta if there is no need to send all search KO with query.

Those files have put on separate directories under this. directory. Subdirectory name told which SH or SHC has sent those. 

Basically when there are some old directories which SH's you haven't anymore those are safe to remove. But don't remove anything which is still in use!

Basically those should be there in both format xxxxx.delta and xxxxx directory. Delta file is just tar package which are used to transfer those from SH to indexers.

At least I didn't know that there is official instructions how to delete those.

The safest way to do it is to stop spunk then remove those old directories and files. Then just start splunk.

I know that some will use some scripts to remove all than e.g 2-5 latest bundles, but I haven't need to do it by myself.

So if you are lack of disk space you could remove those, but with your own risk! If not then just leave and remove those e.g. when you are updating your splunk version or otherwise shut it down.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-13-2026 12:27 PM
Are you talking about search or cluster bundles or something else?
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...