Deployment Architecture

How to manually delete buckets in cluster peers?

splunkIT
Splunk Employee
Splunk Employee

I know that in a clustered environment, I cannot just manually delete/roll the buckets off colddb directory manually. Doing so might cause unintended consequences. So is there a CLI command that I can use on the cluster master to manually delete/roll of the bucket/s?

Tags (4)

dxu_splunk
Splunk Employee
Splunk Employee

to remove a single copy of a bucket - you can use the cluster/master/buckets/{BID}/remove_from_peer endpoint, example:

curl -k -u admin:changeme "https://MASTER:MGMT/services/cluster/master/buckets/main~1490~D4A07A5D-3C3C-4D36-BD70-D610B432466F/remove_from_peer" -d peer=BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBB

to remove all copies of a bucket:

curl -k -u admin:changeme -X POST "https://MASTER:MGMT/services/cluster/master/buckets/main~1490~D4A07A5D-3C3C-4D36-BD70-D610B432466F/remove_all"

Alternatively - we can also manually freeze buckets:

you can freeze the bucket - once a bucket is frozen, it won't be replicated anymore. also, freezing a bucket also (by default unless theres a cold2frozen script) deletes it. if you want to manually clean up all copies of bucket X, you'll need to freeze bucket X on all the indexers.

to freeze a bucket on an indexer, just curl the endpoint:

curl -k -u user:pw https://indexer:mgmt_port/services/data/indexes/index_name/freeze-buckets -d bucket_ids=bucketid -X POST

for example, to freeze bucket main~10~abcd... and main~11~abcd... on a specific indexerA

curl -k -u user:pw https://indexerA:mgmt_port/services/data/indexes/main/freeze-buckets -d bucket_ids=10_abcd...,11_abcd... -X POST

millern4
Communicator

This worked great for me for an issue we were having with our indexer cluster. After multiple attempts to enable maintenance mode, restarting indexers, and other issues this finally did the trick.

Here's my results, and not I ran this from the CLI of our Cluster Master.

[host /]$ curl -k -u admin https://INDEXER_NAME_OR_IP:8089/services/data/indexes/INDEX_NAME/freeze-buckets -d bucket_ids=FULL BUCKET ID -X

0 Karma

hanijamal
New Member

what is the procedure to delete a corrupt bucket on windows?

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...