Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I can't delete index in Splunk Web.

yutaka1005
Builder
‎02-05-2018 08:29 PM

I can't delete index in Splunk Web.

I just created index in Splunk web and after that since I no longer need that index, I disabled it.

Then I want to delete that index, so I enabled that index and tried to delete index in Splunk Web.
But because of the Warning like below, I couldn't delete it.

"idx=*** Unable to remove index: Restart required."

I thought "What?", but I restarted Splunk.
Then I tried again, same messages was displayed!

I thought this issue related to the answer below.
https://answers.splunk.com/answers/492433/why-am-i-unable-to-delete-indexes-from-the-splunk-1.html

So I checked indexes.conf, but "homepath" and "coldpath" etc were set up.
How can I avoid this issue?

I would be appreciated if anyone tells me about it.

I found this issue in ver6.6.4 and ver 7.0.1.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yutaka1005
Builder
‎02-12-2018 08:19 PM

Splunk support said that it is maybe bug.

And they opened this case as "SPL-149077" and they were investigating about it.

The cause of this problem is to add "/" at the end of the path when setting "coldToFrozenDir".

So, workaround is to always avoid appendding "/" at last of the path when specifying the path.

additional information
Splunk support said that this bug will be fixed in ver 6.6.7 and 7.0.3.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yutaka1005
Builder
‎02-12-2018 08:19 PM

Splunk support said that it is maybe bug.

And they opened this case as "SPL-149077" and they were investigating about it.

The cause of this problem is to add "/" at the end of the path when setting "coldToFrozenDir".

So, workaround is to always avoid appendding "/" at last of the path when specifying the path.

additional information
Splunk support said that this bug will be fixed in ver 6.6.7 and 7.0.3.

0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎02-06-2018 01:10 AM

Although I am currently being confirmed, it seems that the same issue will be reproduced if "coldToFrozenDir" is set in indexes.conf under /opt/splunk/etc/apps//local.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎02-05-2018 08:47 PM

Hi ,

This link might useful to you:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/RemovedatafromSplunk

Also to permanently remove event data from a single index, type:

splunk clean eventdata -index <index_name>
Reply
Solved! Jump to solution

yutaka1005
Builder
‎02-05-2018 08:58 PM

Thank you for answer.

yeah I know "clean" command but I want to delete index itself.

I also know that if I edit indexes.conf directly, definitely this wish will come true.
However If possible, I would like to delete from Splunk web as before.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎02-05-2018 09:02 PM

In splunk web you have to disable it and then delete it. Also in above link go to Remove an index entirely section which used following command which will delete index from entire splunk:

splunk remove index <index_name>
0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎02-05-2018 09:54 PM

I can't delete index when it disabled.

Yeah I knew remove index in cli.
However, I would like to know if this phenomenon is a bug or misconfiguration.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...