Deployment Architecture

Why deleted events reappear in indexcluster?

marcohoffmann
Explorer

Hi community,
Sometimes we have to delete events in splunk especially because some GDPR reasons.
After 5 year using ~20 standalone indexer we switched to indexcluster and now deleting events is not safe anymore.
Some deleted events reappear randomly after a few weeks.
Aren't the events not marked as deleted in the replicas? If so, how can mark all copies as deleted?

best regards
Mrco

1 Solution

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @marcohoffmann,

What version of Splunk is this occurring on, and is it a single- or multi- site cluster?

Cheers,

- Jo.

View solution in original post

inawaz123
Loves-to-Learn

We experienced same behaviors, i have came up with my own process in ansible to run a cli command from backend via cli and delete event in individual indexer peers rather than user cli, but that way it is very clean and i would be able to do this cleanup effectively.

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @marcohoffmann,

What version of Splunk is this occurring on, and is it a single- or multi- site cluster?

Cheers,

- Jo.

marcohoffmann
Explorer

Hi,
as I understand it is a multi-site cluster with 2 sites. The replicas are always forced to be on the other site. For searchhead we have no special conditions.

We run a relative old version 6.4.4.

Cheers,
Marco

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @marcohoffmann,

Ah, okay. So 6.4.4 does not have the fix for SPL-136734/SPL-100516, which addresses multiple issues with delete propagation, so upgrading may address your issue. However we are also tracking an issue internally, SPL-138846, which is specific to multisite clusters. Unfortunately there's no fix available for that issue as yet, but it is being worked on.

Cheers,

- Jo.

0 Karma

marcohoffmann
Explorer

Thank you, we will do it asap. For some interests, where can I found in which release this issues SPL-136734/SPL-100516 were solved?

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @marcohoffmann,

For the 6.4 series, it was fixed in 6.4.7; see here: https://docs.splunk.com/Documentation/Splunk/6.4.7/ReleaseNotes/6.4.7

For later versions, it's fixed in 6.5.3, and all versions from 6.6.0 onwards.

Good luck! &:)

Cheers,

- Jo.

0 Karma

HansWurscht
Path Finder

We are using a multisite indexcluster (replicate 1 copy to a different location) and we are also having issues using 'delete' from our SHC.

Events are reappering after we issued the delete command.

Is there still a bug or is the mentioned multisite issue already fixed?
We are currently on 7.3.3.

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @HansWurscht,

The fix for SPL-138846 is still in progress.

Cheers,

- Jo.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...