Hello!
I stumbled across something interesting today while removing a test indexer from a deployment server. It removed my indexes.conf which made all of my data not searchable. That makes sense so I added it back thinking that I would have no more data but to my surprise all of the data was still there! We regularly remove indexes when it is no longer needed but thought that data would be purged when it was removed from indexes.conf. This brought on some concern when we saw that it was still available.
Assuming I have 10gb of space for data. 5gb set to index_01 and 5gb set to index_02. If I removed index_02 from indexes.conf and expanded index_01 to 10gb, then what happens to the index_02 data? Will index_01 still only be capped at 5gb since index_02 is still technically on the physical disk or will it eventually overwrite any data that is not inside the indexes.conf?
If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...
An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.
If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...
An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.