Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can we delete a large index from an indexer cl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index from the cluster?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know if this is "an easy way," but here is the way:
- On the cluster master, remove the index from indexes.conf in the appropriate master apps.
- Apply the cluster-bundles to the indexers, which will distribute the master apps (and updated indexes.conf). At this point, the index will no longer be defined, but the index files will not be removed. The indexers should restart as part of applying the cluster bundle.
- IF the indexers did not restart (they should have!), then place the cluster in maintenance mode and do a rolling restart. Then remove the cluster from maintenance mode.
- Log in to each indexer and remove all the files and directories associated with the index, to recover the disk space. You should not need to put the cluster in maintenance mode, nor should you need to restart Splunk to do this step.
You are done!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know if this is "an easy way," but here is the way:
- On the cluster master, remove the index from indexes.conf in the appropriate master apps.
- Apply the cluster-bundles to the indexers, which will distribute the master apps (and updated indexes.conf). At this point, the index will no longer be defined, but the index files will not be removed. The indexers should restart as part of applying the cluster bundle.
- IF the indexers did not restart (they should have!), then place the cluster in maintenance mode and do a rolling restart. Then remove the cluster from maintenance mode.
- Log in to each indexer and remove all the files and directories associated with the index, to recover the disk space. You should not need to put the cluster in maintenance mode, nor should you need to restart Splunk to do this step.
You are done!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect as usual !!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this instance the requirement is to delete the data, but not the index. The customer basically wants to start over fresh with an empty index.
One suggestion I've heard is to set frozenTimePeriodInSecs to something really small, push the config, and wait for Splunk to age-out all of the data. Once that's complete, restore frozenTimePeriodInSecs to its permanent value.
Thoughts on that Lisa?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@GregZillgitt That would work!
But something that I should have mentioned before - no matter what you do, make sure that you disable any new inputs to this index while you are going through this process!
You could also delete the index as I described, then re-add the index to indexes.conf and push the cluster-bundle again.
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
Community Content Calendar, September edition
