Deployment Architecture

Removing indexes from Cluster environment

samcyber20
Explorer

Hi,

This is my first question in Splunk community.

Could anyone please guide me with proper steps to remove indexes from Splunk cluster environment

Plus have to remove all dashboard, reports , source type renaming , all storage of Indexes and etc. 

 

Thanks 

Sam

 

gcusello
SplunkTrust
SplunkTrust

Hi @samcyber20,

probably, you're speaking of Master Node, not Deployment Server, because You cannot use Deployment Server to manage clustered Indexers!

Anyway, managing Indexer Cluster from Master Node, to Remove indexes, you have to enter in the Master Node in SSH and open, in "$SPLUNK_HOME/etc/master-apps" folder the Technical Add-On (TA) containing indexes.conf.

If you haven't a TA_Indexers, you should find indexes.conf in "$SPLUNK_HOME/etc/master-apps/_cluster/local".

Then you have to modify indexes.conf disabling or deleting the indexes you want to delete.

Then you have to go in the web GUI and push the configuration to Indexers [Settings -- Indexers Clustering -- Push].

You can find a documentation about this at https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Clusterdeploymentoverview

Ciao.

Giuseppe

samcyber20
Explorer

Hi @gcusello ,

Apologies for the noob questions,

I got below finding from Splunk docs.

samcyber20_0-1602191812349.pngSo editing indexes.conf on master node is fine as you mentioned before. but remove index's directories from each peer nodes. 

we have 3 replication factor for each bucket. 

so in that case I need to login all three peers and delete directories?

we have around 6 peers, any way to find that out of 6 peers which three peers hold directories for xyz index. Or only way is I have to login on each peer and dig in directories to find out.

 

 

https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/RemovedatafromSplunk

 

Thanks 

Sam

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @samcyber20,

yes, as described in the documentation, you have at first to remove index stanza from indexes.conf and push the new configuration.

Then you can delete all the index folders from each peers.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

That’s true, deleting index stanza didn’t remove actual files from nodes. That you must do by yourself after cluster peers have done rolling restart.

You must login to all (6) peers and remove that index there. Replication factor means that every individual buckets have replicated to three peers, but as every index has several buckets those are spread across all peers.

r. Ismo

samcyber20
Explorer

Hi @gcusello ,

Thanks for clearing out my confusion.

Still I am not clear about few things, but I will look first what you suggested.

Regards,

Sam

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @samcyber20,

good for you!

If the answer solves your need, please, accept it for the other people of community.

Ciao and good splunking.

Giuseppe

P.S. Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...