Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Deleting an index in a distributed Splunk deployment

danielsofoulis
Path Finder
‎11-02-2016 08:32 PM

I would like to delete an index in Splunk using the following command.

splunk remove index

Just wondering where I should run this command? e.g. only on the Cluster Master (CM)? or on the indexers and CM?

I'm aware that data which is pointed to this index will be lost, any other risks I should be aware of?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-02-2016 08:53 PM

In a distributed peer/indexer cluster you remove the index from /opt/splunk/etc/master-apps/_cluster/local/indexes.conf OR /opt/splunk/etc/master-apps/YourIndexApp/(local|default)/indexes.conf on the cluster master and then push the cluster configuration bundle from the cluster master.

You should read this first:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Managecommonconfigurations

then this:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Configurethepeerindexes

Reply

danielsofoulis
Path Finder
‎11-02-2016 09:07 PM

Does this method of deleting indexes only remove the index from searching, but the data in that index is still stored on the servers? is that correct?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-03-2016 04:54 AM

Yes that is correct, it leaves the index on the disk still consuming disk space but stops any additional events from being written to the index and stops allowing it to be searched. To remove the files you have to log into each indexer and remove the index under /opt/splunk/var/lib/splunk/ (I believe that's the path, usually get it mixed up but /opt/splunk/var/lib/ is the root dir for sure).

Reply

jkat54
SplunkTrust
SplunkTrust
‎07-31-2018 07:47 PM

The path the old data will be stored in will depend on the home data path and cold data path settings that were in indexes.conf.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...