This is my first question in Splunk community.
Could anyone please guide me with proper steps to remove indexes from Splunk cluster environment
Plus have to remove all dashboard, reports , source type renaming , all storage of Indexes and etc.
probably, you're speaking of Master Node, not Deployment Server, because You cannot use Deployment Server to manage clustered Indexers!
Anyway, managing Indexer Cluster from Master Node, to Remove indexes, you have to enter in the Master Node in SSH and open, in "$SPLUNK_HOME/etc/master-apps" folder the Technical Add-On (TA) containing indexes.conf.
If you haven't a TA_Indexers, you should find indexes.conf in "$SPLUNK_HOME/etc/master-apps/_cluster/local".
Then you have to modify indexes.conf disabling or deleting the indexes you want to delete.
Then you have to go in the web GUI and push the configuration to Indexers [Settings -- Indexers Clustering -- Push].
You can find a documentation about this at https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Clusterdeploymentoverview
Hi @gcusello ,
Apologies for the noob questions,
I got below finding from Splunk docs.
So editing indexes.conf on master node is fine as you mentioned before. but remove index's directories from each peer nodes.
we have 3 replication factor for each bucket.
so in that case I need to login all three peers and delete directories?
we have around 6 peers, any way to find that out of 6 peers which three peers hold directories for xyz index. Or only way is I have to login on each peer and dig in directories to find out.
yes, as described in the documentation, you have at first to remove index stanza from indexes.conf and push the new configuration.
Then you can delete all the index folders from each peers.
That’s true, deleting index stanza didn’t remove actual files from nodes. That you must do by yourself after cluster peers have done rolling restart.
You must login to all (6) peers and remove that index there. Replication factor means that every individual buckets have replicated to three peers, but as every index has several buckets those are spread across all peers.
good for you!
If the answer solves your need, please, accept it for the other people of community.
Ciao and good splunking.
P.S. Karma Points are appreciated by all the contributors 😉