Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why deleted events reappear in indexcluster?

marcohoffmann
Explorer
‎11-06-2019 10:21 PM

Hi community,
Sometimes we have to delete events in splunk especially because some GDPR reasons.
After 5 year using ~20 standalone indexer we switched to indexcluster and now deleting events is not safe anymore.
Some deleted events reappear randomly after a few weeks.
Aren't the events not marked as deleted in the replicas? If so, how can mark all copies as deleted?

best regards
Mrco

Reply
1 Solution
Solved! Jump to solution
Solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-08-2019 09:08 AM

Hi @marcohoffmann,

What version of Splunk is this occurring on, and is it a single- or multi- site cluster?

Cheers,

- Jo.

View solution in original post

Reply
Solved! Jump to solution

inawaz123
Loves-to-Learn
‎11-10-2019 07:29 PM

We experienced same behaviors, i have came up with my own process in ansible to run a cli command from backend via cli and delete event in individual indexer peers rather than user cli, but that way it is very clean and i would be able to do this cleanup effectively.

0 Karma
Reply
Solved! Jump to solution
Solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-08-2019 09:08 AM

Hi @marcohoffmann,

What version of Splunk is this occurring on, and is it a single- or multi- site cluster?

Cheers,

- Jo.

Reply
Solved! Jump to solution

marcohoffmann
Explorer
‎11-10-2019 11:07 PM

Hi,
as I understand it is a multi-site cluster with 2 sites. The replicas are always forced to be on the other site. For searchhead we have no special conditions.

We run a relative old version 6.4.4.

Cheers,
Marco

0 Karma
Reply
Solved! Jump to solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-11-2019 04:38 AM

Hi @marcohoffmann,

Ah, okay. So 6.4.4 does not have the fix for SPL-136734/SPL-100516, which addresses multiple issues with delete propagation, so upgrading may address your issue. However we are also tracking an issue internally, SPL-138846, which is specific to multisite clusters. Unfortunately there's no fix available for that issue as yet, but it is being worked on.

Cheers,

- Jo.

0 Karma
Reply
Solved! Jump to solution

marcohoffmann
Explorer
‎11-12-2019 10:06 PM

Thank you, we will do it asap. For some interests, where can I found in which release this issues SPL-136734/SPL-100516 were solved?

0 Karma
Reply
Solved! Jump to solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-13-2019 02:01 AM

Hi @marcohoffmann,

For the 6.4 series, it was fixed in 6.4.7; see here: https://docs.splunk.com/Documentation/Splunk/6.4.7/ReleaseNotes/6.4.7

For later versions, it's fixed in 6.5.3, and all versions from 6.6.0 onwards.

Good luck! &:)

Cheers,

- Jo.

0 Karma
Reply
Solved! Jump to solution

HansWurscht
Path Finder
‎02-21-2020 09:03 AM

We are using a multisite indexcluster (replicate 1 copy to a different location) and we are also having issues using 'delete' from our SHC.

Events are reappering after we issued the delete command.

Is there still a bug or is the mentioned multisite issue already fixed?
We are currently on 7.3.3.

0 Karma
Reply
Solved! Jump to solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎02-24-2020 04:08 AM

Hi @HansWurscht,

The fix for SPL-138846 is still in progress.

Cheers,

- Jo.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...