Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the "splunk remove excess-buckets [index-name]" command not working (GUI or CLI) in our multisite indexer cluster?

Ankitha_d
Path Finder
‎10-28-2015 08:53 AM

The splunk remove excess-buckets [index-name] command is not clearing all the excess buckets.
Have tried to clear from GUI and command line as well.
The buckets do not get cleared even after refreshing multiple types (keeping asynchronous operation in mind)

Is multisite indexer clustering creating a problem in this case?

Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stanwin
Contributor
‎02-12-2016 06:33 AM

on a similar multisite related issue.. similar behaviour for the delete operator in my environment.

The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.

Had to manually run delete on the other site.

6.2.3 build 264376

View solution in original post

0 Karma
Reply
Solved! Jump to solution

muizash
Path Finder
‎11-11-2019 06:15 PM

While the data is rebalancing, you cannot remove excess buckets. Splunk has this limitation clearly mentioned in their document.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Removeextrabucketcopies

Reply
Solved! Jump to solution

rbal_splunk
Splunk Employee
Splunk Employee
‎06-28-2016 04:59 PM

For '|delete' to work in Splunk Indexed Clustered environment it is required that management for is open between on Cluster peers across sites.

Reply
Solved! Jump to solution

stanwin
Contributor
‎06-30-2016 03:48 AM

Thanks for the reply Rbal!

but could you elaborate on the 'management is open' part please?

The cluster master should be able to coordinate this across the sites, shouldnt it?

0 Karma
Reply
Solved! Jump to solution
Solution

stanwin
Contributor
‎02-12-2016 06:33 AM

on a similar multisite related issue.. similar behaviour for the delete operator in my environment.

The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.

Had to manually run delete on the other site.

6.2.3 build 264376

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...