Deployment Architecture

What are the steps to remove data from an indexer cluster?

Path Finder

Hi,

I am new to Splunk, could you please help?

I have a Splunk cluster - 1 Master(also the license master), 3 node indexer cluster, 1 search head. I want to delete data in a specific index

Could you please verify if the following steps are correct to delete event data?

On the Master Node : put cluster in maintenance mode
stop indexers - splunk stop on each indexer
remove data using the command splunk clean eventdate -index xyz - where do I run this command - on each indexer node ?
start indexers - splunk start on each indexer
On Master Node : disable Maintenance node

0 Karma
1 Solution

SplunkTrust
SplunkTrust

hello there,

your approach will be very tough to achieve.
below is an approach wit no downtime, no maintenance mode and no indexers access
steps to remove all data:
1. stop data sources for that index from sending data to that particular index (modify relevant input.conf on source)
2. in the cluster master, find the app that has the relevant index configuration (indexes.conf)
3. find the relevant [stanza] index name
4. modify (or add) frozenTimePeriodInSecs and give it minimal value, like 10 or 60
5. push the configuration to the indexers $SPLUNK_HONE/bin/splunk apply cluster-bundle
6. watch the sunset as your data fades away.
7. if you need the index for new data, modify the config you changed earlier to desired value and apply cluster bundle again

essentially what you are doing, is telling Splunk to freeze all events older than 10 seconds
splunk will remove data very very fast, make sure you changed the value on the right index [stanza] there is no coming back from this one.
lastly verify that you dont have cold to frozen script or configuration, as all your data will be shipped somewhere else.

hope it helps and please let us know how it worked for you

View solution in original post

Path Finder

Thanks a lot... That worked

0 Karma

SplunkTrust
SplunkTrust

hello there,

your approach will be very tough to achieve.
below is an approach wit no downtime, no maintenance mode and no indexers access
steps to remove all data:
1. stop data sources for that index from sending data to that particular index (modify relevant input.conf on source)
2. in the cluster master, find the app that has the relevant index configuration (indexes.conf)
3. find the relevant [stanza] index name
4. modify (or add) frozenTimePeriodInSecs and give it minimal value, like 10 or 60
5. push the configuration to the indexers $SPLUNK_HONE/bin/splunk apply cluster-bundle
6. watch the sunset as your data fades away.
7. if you need the index for new data, modify the config you changed earlier to desired value and apply cluster bundle again

essentially what you are doing, is telling Splunk to freeze all events older than 10 seconds
splunk will remove data very very fast, make sure you changed the value on the right index [stanza] there is no coming back from this one.
lastly verify that you dont have cold to frozen script or configuration, as all your data will be shipped somewhere else.

hope it helps and please let us know how it worked for you

View solution in original post

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!