splunk remove excess-buckets [index-name] command is not clearing all the excess buckets.
Have tried to clear from GUI and command line as well.
The buckets do not get cleared even after refreshing multiple types (keeping asynchronous operation in mind)
Is multisite indexer clustering creating a problem in this case?
on a similar multisite related issue.. similar behaviour for the delete operator in my environment.
The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.
Had to manually run delete on the other site.
6.2.3 build 264376
For '|delete' to work in Splunk Indexed Clustered environment it is required that management for is open between on Cluster peers across sites.
Thanks for the reply Rbal!
but could you elaborate on the 'management is open' part please?
The cluster master should be able to coordinate this across the sites, shouldnt it?
While the data is rebalancing, you cannot remove excess buckets. Splunk has this limitation clearly mentioned in their document.