We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index from the cluster?
I don't know if this is "an easy way," but here is the way:
You are done!
I don't know if this is "an easy way," but here is the way:
You are done!
Perfect as usual !!!!
In this instance the requirement is to delete the data, but not the index. The customer basically wants to start over fresh with an empty index.
One suggestion I've heard is to set frozenTimePeriodInSecs to something really small, push the config, and wait for Splunk to age-out all of the data. Once that's complete, restore frozenTimePeriodInSecs to its permanent value.
Thoughts on that Lisa?
@GregZillgitt That would work!
But something that I should have mentioned before - no matter what you do, make sure that you disable any new inputs to this index while you are going through this process!
You could also delete the index as I described, then re-add the index to indexes.conf and push the cluster-bundle again.