Getting Data In

How is data handled with indexes.conf when the index is removed?

matthewssa
Path Finder

Hello!

I stumbled across something interesting today while removing a test indexer from a deployment server. It removed my indexes.conf which made all of my data not searchable. That makes sense so I added it back thinking that I would have no more data but to my surprise all of the data was still there! We regularly remove indexes when it is no longer needed but thought that data would be purged when it was removed from indexes.conf. This brought on some concern when we saw that it was still available.

Assuming I have 10gb of space for data. 5gb set to index_01 and 5gb set to index_02. If I removed index_02 from indexes.conf and expanded index_01 to 10gb, then what happens to the index_02 data? Will index_01 still only be capped at 5gb since index_02 is still technically on the physical disk or will it eventually overwrite any data that is not inside the indexes.conf?

1 Solution

somesoni2
Revered Legend

If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...

An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.

View solution in original post

somesoni2
Revered Legend

If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...

An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...