Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If I delete data from HDFS will it impact my Splunk instance?

scottgr
New Member
‎08-15-2017 06:34 AM

I'm storing log data in HDFS that is being indexed by Splunk. Due to space constrains I'd like to delete data over a certain age. I know that I can do this by editing indexes.conf but I wanted to see if there were any gotchas that I needed to be aware of.

I'm specifically interested in knowing:

  • Will Splunk correctly delete the log data from HDFS if I tell it to delete data over a certain age? i.e. is there anything specific I need to know about deletion of Splunk data from HDFS
  • If instead of deleting the data from Splunk I used a script to automatically delete the files from HDFS would it cause problems with Splunk? (for example the index is expecting to see data that is now missing). There might be some advantages to me deleting the data from HDFS directly rather than depending on Splunk to do it.

I'm quite new to working with Splunk as a developer so I'd be grateful for any advice people have with the above. Thanks.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-16-2017 06:45 AM

Hey Scottgr!

As far as I know Hunk/Data Roll will not action any retention policy on the HDFS side, so removing data with a script or policy on the Haddop side shouldn't bother Hunk. The virtual index simply tells Hunk where the data lives and how to send an MR job to the Hadoop side, and will return what it finds.

You should be fine to manage the lifecycle of the data in HDFS in whatever manner works for you, in fact, it is something you will be required to do.

- MattyMo
0 Karma
Reply

scottgr
New Member
‎08-17-2017 02:49 AM

That's great - really appreciate the advice. Thanks.

0 Karma
Reply

ddrillic
Ultra Champion
‎08-16-2017 06:53 AM

Right, that's the key thing - it's virtual - "just" a pointer to the location. You can administer the data on HDFS as you please...

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-15-2017 07:40 PM

Hi scottgr!

Can you tell us more about the Splunk configuration you are using to interact with HDFS? Hadoop Data Roll? Hunk?

When I last played with data roll, Splunk didn't maintain the retention logic on the hdfs side. Once it was there, it was there and we only aged out data in your indexes. I recall it was relatively easy to use the hdfs command to clean up if needed.

- MattyMo
0 Karma
Reply

scottgr
New Member
‎08-16-2017 06:23 AM

Thanks for getting back to me - it's much appreciated. We're using Hunk. So we have a remote Hadoop cluster that we're accessing in Splunk via a virtual index.

What I'm unsure about is whether it's acceptable to just delete old data within Hadoop - or whether that will cause problems with the Splunk indexing.

Thanks again for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...