Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I delete the DB data files in the search head or are there some steps that I need to follow beforehand?

_pravin
Communicator
‎10-25-2022 09:55 AM

Hi Community,

 

We have a cluster setup for our Splunk install where all the data are indexed at the data layer (data from heavy forwarders, indexers, and even the _internal data from the search head). The current size of indexes in the Splunk Search head should be 1 MB but I notice that one of the indexes and a few internal indexes get data. This increases the size of the search head in addition to the increase in the size of the indexes in the indexers.

When I check the last event received by the indexer in the search head, it shows 8 months ago in the GUI and also in the backend files. But when I check the same in any of the indexers, the last event was received recently. My doubt is can I delete the DB data files in the search head or are there some steps that I need to follow before I remove the DB files directly?

 

Regards,

Pravin

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎10-25-2022 01:17 PM

You can use "splunk clean eventdata -index " command like below;

$ splunk stop

$ splunk clean eventdata -index "_internal"

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-25-2022 11:10 PM

Hi @_pravin,

if you have an Indexer Cluster, the easiest way to clean an index is to modify the retention period of that index, modifying the frozenTimePeriodInSecs to a very little value in the Master Node and then push the configuration to the Search Peers (Indexers); in this way all the buckets, except the Hot ones, will be deleted.

Then you can restore the correct retention period.

The thing I don't understand is why you have indexed data on the Search Heads: it's a best practice to forward all logs from the Splunk infrastructure ato Indexers.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

_pravin
Communicator
‎10-26-2022 02:44 AM

Hi @gcusello ,

 

Thanks for the response. I could use this solution to remove data older than 8 months and then revert back to the old configurations.

Even I have the same doubt as to why the search head has data when all the logs have been forwarded to the indexers.

 

Regards,

Pravin

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2022 03:28 AM

Hi @_pravin,

check if there's an index and forward option in outputs.conf.

This is the only option that justifies the presence of new logs on SH.

then check if the indexes on SH are old: maybe they where created in the beginning of the activity and they aren't used when you forwarded logs to Indexers.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎10-25-2022 01:17 PM

You can use "splunk clean eventdata -index " command like below;

$ splunk stop

$ splunk clean eventdata -index "_internal"

Reply
Solved! Jump to solution

_pravin
Communicator
‎10-26-2022 02:43 AM

Hi @sylim_splunk ,

 

Won't this delete the entire data from the index in the cluster? I want to delete only the data present in the search head.

 

Regards,

Pravin

Reply
Solved! Jump to solution

sylim_splunk
Splunk Employee
Splunk Employee
‎10-26-2022 04:49 PM

@_pravin  the command is only effective on the SH you run. And the index buckets in the indexers are not affected by the commend.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2022 11:14 AM

If you no longer care about the 8-months-old data on the search then you can delete it.  Be sure to restart the SH afterwards.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

_pravin
Communicator
‎10-26-2022 02:47 AM

Hi @richgalloway ,

 

Do you mean to say that I can directly delete the data from the DB and still retain all the data from the indexers? Won't this affect the data in the indexers in any way?

 

Regards,

Pravin

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2022 05:31 AM

If you delete the DB files from the Search Head, the indexers will not be affected.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...