Hi,
I didn't find a detailed description of what happens when an index configuration has been deleted.
So far, I found:
Standalone:
IX Cluster:
Delete index with remove index configuration stanza won't remove stored data, and cannot search it.
Will the buckets removed by Splunk when an index hasbeen deleted only with the configuration stanza removed?
What happens when an admin makes a rollback/recreate the index stanza on the Master Node after a deletion. Will the old data be searchable again?
Does anybody have an experience in this topic? (Or is there a detailed docs somewhere about it?)
Regards,
István
Hi,
there is a small docs about this: http://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/RemovedatafromSplunk#The_delete_operation_...
Indexed data is not searchable if you remove the index configuration. You can add the configuration again to make it searchable again.
If you want to delete data permanently, you can go the way with the | delete
command, or you can simple delete the buckets from your data storage ( and of course your indexes.conf config for that index, on the master) You can find this (normaly) in $SPLUNK_HOME/var/lib/splunk, if you changed it, you can find the location in splunk-launch.conf
under SPLUNK_DB
.
removing the index from indexes.conf, does it remove that index?
Hi,
there is a small docs about this: http://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/RemovedatafromSplunk#The_delete_operation_...
Indexed data is not searchable if you remove the index configuration. You can add the configuration again to make it searchable again.
If you want to delete data permanently, you can go the way with the | delete
command, or you can simple delete the buckets from your data storage ( and of course your indexes.conf config for that index, on the master) You can find this (normaly) in $SPLUNK_HOME/var/lib/splunk, if you changed it, you can find the location in splunk-launch.conf
under SPLUNK_DB
.
It's a Good Thing that removing the index configuration doesn't delete data. Otherwise you could not move index configuration around, the risk of deletion would be crippling.
If you want to remove an index from a cluster and delete its data, first make sure it's not receiving any new data. Then set the data retention period to a short timespan for that index only. That will make the indexers delete old data. Once you waited for that short period, there should be no buckets left. Then you remove the index configuration. The indexers will still have empty directories for the index, but they won't consume lots of space.
Side note, |delete is not permanent, the data will still be on disk.
Please accept answer if it helped 🙂
Hi,
I saw that docs, not too much:(
Just a little note:
- After restoring the (index) configuration it needs to make an indexer rolling restart in order to access the old data.
- I think the "orphaned" index live forever on the indexers...
- The docs say nothing how I should delete an index in a clustered environment. There are several ways I know but mostly is a manual job.
Regards,
István