Getting Data In
Highlighted

How can we delete a large index from an indexer cluster?

Ultra Champion

We have a fairly large index in an indexer cluster of six indexers. What would be an easy way to remove this index from the cluster?

0 Karma
Highlighted

Re: How can we delete a large index from an indexer cluster?

Legend

I don't know if this is "an easy way," but here is the way:

  1. On the cluster master, remove the index from indexes.conf in the appropriate master apps.
  2. Apply the cluster-bundles to the indexers, which will distribute the master apps (and updated indexes.conf). At this point, the index will no longer be defined, but the index files will not be removed. The indexers should restart as part of applying the cluster bundle.
  3. IF the indexers did not restart (they should have!), then place the cluster in maintenance mode and do a rolling restart. Then remove the cluster from maintenance mode.
  4. Log in to each indexer and remove all the files and directories associated with the index, to recover the disk space. You should not need to put the cluster in maintenance mode, nor should you need to restart Splunk to do this step.

You are done!

View solution in original post

Highlighted

Re: How can we delete a large index from an indexer cluster?

Ultra Champion

Perfect as usual !!!!

0 Karma
Highlighted

Re: How can we delete a large index from an indexer cluster?

Path Finder

In this instance the requirement is to delete the data, but not the index. The customer basically wants to start over fresh with an empty index.

One suggestion I've heard is to set frozenTimePeriodInSecs to something really small, push the config, and wait for Splunk to age-out all of the data. Once that's complete, restore frozenTimePeriodInSecs to its permanent value.

Thoughts on that Lisa?

Highlighted

Re: How can we delete a large index from an indexer cluster?

Legend

@GregZillgitt That would work!

But something that I should have mentioned before - no matter what you do, make sure that you disable any new inputs to this index while you are going through this process!

You could also delete the index as I described, then re-add the index to indexes.conf and push the cluster-bundle again.

0 Karma