Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Removing indexes from Cluster environment

samcyber20
Explorer
‎10-06-2020 12:14 AM

Hi,

This is my first question in Splunk community.

Could anyone please guide me with proper steps to remove indexes from Splunk cluster environment

Plus have to remove all dashboard, reports , source type renaming , all storage of Indexes and etc. 

 

Thanks 

Sam

 

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-06-2020 12:23 AM

Hi @samcyber20,

probably, you're speaking of Master Node, not Deployment Server, because You cannot use Deployment Server to manage clustered Indexers!

Anyway, managing Indexer Cluster from Master Node, to Remove indexes, you have to enter in the Master Node in SSH and open, in "$SPLUNK_HOME/etc/master-apps" folder the Technical Add-On (TA) containing indexes.conf.

If you haven't a TA_Indexers, you should find indexes.conf in "$SPLUNK_HOME/etc/master-apps/_cluster/local".

Then you have to modify indexes.conf disabling or deleting the indexes you want to delete.

Then you have to go in the web GUI and push the configuration to Indexers [Settings -- Indexers Clustering -- Push].

You can find a documentation about this at https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/Clusterdeploymentoverview

Ciao.

Giuseppe

Reply

samcyber20
Explorer
‎10-08-2020 02:27 PM

Hi @gcusello ,

Apologies for the noob questions,

I got below finding from Splunk docs.

samcyber20_0-1602191812349.pngSo editing indexes.conf on master node is fine as you mentioned before. but remove index's directories from each peer nodes. 

we have 3 replication factor for each bucket. 

so in that case I need to login all three peers and delete directories?

we have around 6 peers, any way to find that out of 6 peers which three peers hold directories for xyz index. Or only way is I have to login on each peer and dig in directories to find out.

 

 

https://docs.splunk.com/Documentation/Splunk/8.0.6/Indexer/RemovedatafromSplunk

 

Thanks 

Sam

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 11:20 PM

Hi @samcyber20,

yes, as described in the documentation, you have at first to remove index stanza from indexes.conf and push the new configuration.

Then you can delete all the index folders from each peers.

Ciao.

Giuseppe

Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-09-2020 11:28 AM

That’s true, deleting index stanza didn’t remove actual files from nodes. That you must do by yourself after cluster peers have done rolling restart.

You must login to all (6) peers and remove that index there. Replication factor means that every individual buckets have replicated to three peers, but as every index has several buckets those are spread across all peers.

r. Ismo

Reply

samcyber20
Explorer
‎10-06-2020 03:36 PM

Hi @gcusello ,

Thanks for clearing out my confusion.

Still I am not clear about few things, but I will look first what you suggested.

Regards,

Sam

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-10-2020 09:23 AM

Hi @samcyber20,

good for you!

If the answer solves your need, please, accept it for the other people of community.

Ciao and good splunking.

Giuseppe

P.S. Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...