Getting Data In

How can we delete a large index from an indexer cluster?

ddrillic
Ultra Champion

We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index from the cluster?

0 Karma
1 Solution

lguinn2
Legend

I don't know if this is "an easy way," but here is the way:

  1. On the cluster master, remove the index from indexes.conf in the appropriate master apps.
  2. Apply the cluster-bundles to the indexers, which will distribute the master apps (and updated indexes.conf). At this point, the index will no longer be defined, but the index files will not be removed. The indexers should restart as part of applying the cluster bundle.
  3. IF the indexers did not restart (they should have!), then place the cluster in maintenance mode and do a rolling restart. Then remove the cluster from maintenance mode.
  4. Log in to each indexer and remove all the files and directories associated with the index, to recover the disk space. You should not need to put the cluster in maintenance mode, nor should you need to restart Splunk to do this step.

You are done!

View solution in original post

lguinn2
Legend

I don't know if this is "an easy way," but here is the way:

  1. On the cluster master, remove the index from indexes.conf in the appropriate master apps.
  2. Apply the cluster-bundles to the indexers, which will distribute the master apps (and updated indexes.conf). At this point, the index will no longer be defined, but the index files will not be removed. The indexers should restart as part of applying the cluster bundle.
  3. IF the indexers did not restart (they should have!), then place the cluster in maintenance mode and do a rolling restart. Then remove the cluster from maintenance mode.
  4. Log in to each indexer and remove all the files and directories associated with the index, to recover the disk space. You should not need to put the cluster in maintenance mode, nor should you need to restart Splunk to do this step.

You are done!

ddrillic
Ultra Champion

Perfect as usual !!!!

0 Karma

GregZillgitt
Path Finder

In this instance the requirement is to delete the data, but not the index. The customer basically wants to start over fresh with an empty index.

One suggestion I've heard is to set frozenTimePeriodInSecs to something really small, push the config, and wait for Splunk to age-out all of the data. Once that's complete, restore frozenTimePeriodInSecs to its permanent value.

Thoughts on that Lisa?

lguinn2
Legend

@GregZillgitt That would work!

But something that I should have mentioned before - no matter what you do, make sure that you disable any new inputs to this index while you are going through this process!

You could also delete the index as I described, then re-add the index to indexes.conf and push the cluster-bundle again.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...