Deployment Architecture

Removing indexes from Cluster environment

samcyber20
Explorer

Hi,

This is my first question in Splunk community.

Could anyone please guide me with proper steps to remove indexes from Splunk cluster environment

Plus have to remove all dashboard, reports , source type renaming , all storage of Indexes and etc. 

 

Thanks 

Sam

 

0 Karma

gcusello
Legend

Hi @samcyber20,

probably, you're speaking of Master Node, not Deployment Server, because You cannot use Deployment Server to manage clustered Indexers!

Anyway, managing Indexer Cluster from Master Node, to Remove indexes, you have to enter in the Master Node in SSH and open, in "$SPLUNK_HOME/etc/master-apps" folder the Technical Add-On (TA) containing indexes.conf.

If you haven't a TA_Indexers, you should find indexes.conf in "$SPLUNK_HOME/etc/master-apps/_cluster/local".

Then you have to modify indexes.conf disabling or deleting the indexes you want to delete.

Then you have to go in the web GUI and push the configuration to Indexers [Settings -- Indexers Clustering -- Push].

You can find a documentation about this at https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Clusterdeploymentoverview

Ciao.

Giuseppe

samcyber20
Explorer

Hi @gcusello ,

Apologies for the noob questions,

I got below finding from Splunk docs.

samcyber20_0-1602191812349.pngSo editing indexes.conf on master node is fine as you mentioned before. but remove index's directories from each peer nodes. 

we have 3 replication factor for each bucket. 

so in that case I need to login all three peers and delete directories?

we have around 6 peers, any way to find that out of 6 peers which three peers hold directories for xyz index. Or only way is I have to login on each peer and dig in directories to find out.

 

 

https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/RemovedatafromSplunk

 

Thanks 

Sam

0 Karma

gcusello
Legend

Hi @samcyber20,

yes, as described in the documentation, you have at first to remove index stanza from indexes.conf and push the new configuration.

Then you can delete all the index folders from each peers.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

That’s true, deleting index stanza didn’t remove actual files from nodes. That you must do by yourself after cluster peers have done rolling restart.

You must login to all (6) peers and remove that index there. Replication factor means that every individual buckets have replicated to three peers, but as every index has several buckets those are spread across all peers.

r. Ismo

samcyber20
Explorer

Hi @gcusello ,

Thanks for clearing out my confusion.

Still I am not clear about few things, but I will look first what you suggested.

Regards,

Sam

0 Karma

gcusello
Legend

Hi @samcyber20,

good for you!

If the answer solves your need, please, accept it for the other people of community.

Ciao and good splunking.

Giuseppe

P.S. Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...