Solved: Re: Why deleted events reappear in indexcluster?

marcohoffmann · ‎11-06-2019

Hi community,
Sometimes we have to delete events in splunk especially because some GDPR reasons.
After 5 year using ~20 standalone indexer we switched to indexcluster and now deleting events is not safe anymore.
Some deleted events reappear randomly after a few weeks.
Aren't the events not marked as deleted in the replicas? If so, how can mark all copies as deleted?

best regards
Mrco

jhornsby_splunk · ‎11-08-2019

Hi @marcohoffmann,

What version of Splunk is this occurring on, and is it a single- or multi- site cluster?

Cheers,

- Jo.

View solution in original post

inawaz123 · ‎11-10-2019

We experienced same behaviors, i have came up with my own process in ansible to run a cli command from backend via cli and delete event in individual indexer peers rather than user cli, but that way it is very clean and i would be able to do this cleanup effectively.

jhornsby_splunk · ‎11-08-2019

Hi @marcohoffmann,

What version of Splunk is this occurring on, and is it a single- or multi- site cluster?

Cheers,

- Jo.

marcohoffmann · ‎11-10-2019

Hi,
as I understand it is a multi-site cluster with 2 sites. The replicas are always forced to be on the other site. For searchhead we have no special conditions.

We run a relative old version 6.4.4.

Cheers,
Marco

jhornsby_splunk · ‎11-11-2019

Hi @marcohoffmann,

Ah, okay. So 6.4.4 does not have the fix for SPL-136734/SPL-100516, which addresses multiple issues with delete propagation, so upgrading may address your issue. However we are also tracking an issue internally, SPL-138846, which is specific to multisite clusters. Unfortunately there's no fix available for that issue as yet, but it is being worked on.

Cheers,

- Jo.

marcohoffmann · ‎11-12-2019

Thank you, we will do it asap. For some interests, where can I found in which release this issues SPL-136734/SPL-100516 were solved?

jhornsby_splunk · ‎11-13-2019

Hi @marcohoffmann,

For the 6.4 series, it was fixed in 6.4.7; see here: https://docs.splunk.com/Documentation/Splunk/6.4.7/ReleaseNotes/6.4.7

For later versions, it's fixed in 6.5.3, and all versions from 6.6.0 onwards.

Good luck! &:)

Cheers,

- Jo.

HansWurscht · ‎02-21-2020

We are using a multisite indexcluster (replicate 1 copy to a different location) and we are also having issues using 'delete' from our SHC.

Events are reappering after we issued the delete command.

Is there still a bug or is the mentioned multisite issue already fixed?
We are currently on 7.3.3.

jhornsby_splunk · ‎02-24-2020

Hi @HansWurscht,

The fix for SPL-138846 is still in progress.

Cheers,

- Jo.

Why deleted events reappear in indexcluster?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update