Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the "splunk remove excess-buckets [index-name]" command not working (GUI or CLI) in our multisite indexer cluster?

Ankitha_d
Path Finder
‎10-28-2015 08:53 AM

The splunk remove excess-buckets [index-name] command is not clearing all the excess buckets.
Have tried to clear from GUI and command line as well.
The buckets do not get cleared even after refreshing multiple types (keeping asynchronous operation in mind)

Is multisite indexer clustering creating a problem in this case?

Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stanwin
Contributor
‎02-12-2016 06:33 AM

on a similar multisite related issue.. similar behaviour for the delete operator in my environment.

The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.

Had to manually run delete on the other site.

6.2.3 build 264376

View solution in original post

0 Karma
Reply
Solved! Jump to solution

muizash
Path Finder
‎11-11-2019 06:15 PM

While the data is rebalancing, you cannot remove excess buckets. Splunk has this limitation clearly mentioned in their document.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Removeextrabucketcopies

Reply
Solved! Jump to solution

rbal_splunk
Splunk Employee
Splunk Employee
‎06-28-2016 04:59 PM

For '|delete' to work in Splunk Indexed Clustered environment it is required that management for is open between on Cluster peers across sites.

Reply
Solved! Jump to solution

stanwin
Contributor
‎06-30-2016 03:48 AM

Thanks for the reply Rbal!

but could you elaborate on the 'management is open' part please?

The cluster master should be able to coordinate this across the sites, shouldnt it?

0 Karma
Reply
Solved! Jump to solution
Solution

stanwin
Contributor
‎02-12-2016 06:33 AM

on a similar multisite related issue.. similar behaviour for the delete operator in my environment.

The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.

Had to manually run delete on the other site.

6.2.3 build 264376

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...