Getting Data In

How is data handled with indexes.conf when the index is removed?

matthewssa
Path Finder

Hello!

I stumbled across something interesting today while removing a test indexer from a deployment server. It removed my indexes.conf which made all of my data not searchable. That makes sense so I added it back thinking that I would have no more data but to my surprise all of the data was still there! We regularly remove indexes when it is no longer needed but thought that data would be purged when it was removed from indexes.conf. This brought on some concern when we saw that it was still available.

Assuming I have 10gb of space for data. 5gb set to index_01 and 5gb set to index_02. If I removed index_02 from indexes.conf and expanded index_01 to 10gb, then what happens to the index_02 data? Will index_01 still only be capped at 5gb since index_02 is still technically on the physical disk or will it eventually overwrite any data that is not inside the indexes.conf?

1 Solution

somesoni2
Revered Legend

If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...

An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.

View solution in original post

somesoni2
Revered Legend

If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...

An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.

Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...