Getting Data In

What happens when an index configuration accidentally gets deleted?

ikulcsar
Communicator

Hi,

I didn't find a detailed description of what happens when an index configuration has been deleted.

So far, I found:

Standalone:

  • Delete index using GUI will also remove stored data.
  • Delete index with remove index configuration stanza won't remove stored data, but cannot search it.

IX Cluster:

  • Delete index with remove index configuration stanza won't remove stored data, and cannot search it.

  • Will the buckets removed by Splunk when an index hasbeen deleted only with the configuration stanza removed?

  • What happens when an admin makes a rollback/recreate the index stanza on the Master Node after a deletion. Will the old data be searchable again?

Does anybody have an experience in this topic? (Or is there a detailed docs somewhere about it?)

Regards,
István

0 Karma
1 Solution

dkeck
Influencer

Hi,

there is a small docs about this: http://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/RemovedatafromSplunk#The_delete_operation_...

Indexed data is not searchable if you remove the index configuration. You can add the configuration again to make it searchable again.

If you want to delete data permanently, you can go the way with the | delete command, or you can simple delete the buckets from your data storage ( and of course your indexes.conf config for that index, on the master) You can find this (normaly) in $SPLUNK_HOME/var/lib/splunk, if you changed it, you can find the location in splunk-launch.conf under SPLUNK_DB.

View solution in original post

tan_junyuan
Engager

removing the index from indexes.conf, does it remove that index?

0 Karma

dkeck
Influencer

Hi,

there is a small docs about this: http://docs.splunk.com/Documentation/Splunk/7.2.1/Indexer/RemovedatafromSplunk#The_delete_operation_...

Indexed data is not searchable if you remove the index configuration. You can add the configuration again to make it searchable again.

If you want to delete data permanently, you can go the way with the | delete command, or you can simple delete the buckets from your data storage ( and of course your indexes.conf config for that index, on the master) You can find this (normaly) in $SPLUNK_HOME/var/lib/splunk, if you changed it, you can find the location in splunk-launch.conf under SPLUNK_DB.

martin_mueller
SplunkTrust
SplunkTrust

It's a Good Thing that removing the index configuration doesn't delete data. Otherwise you could not move index configuration around, the risk of deletion would be crippling.

If you want to remove an index from a cluster and delete its data, first make sure it's not receiving any new data. Then set the data retention period to a short timespan for that index only. That will make the indexers delete old data. Once you waited for that short period, there should be no buckets left. Then you remove the index configuration. The indexers will still have empty directories for the index, but they won't consume lots of space.

Side note, |delete is not permanent, the data will still be on disk.

dkeck
Influencer

Please accept answer if it helped 🙂

0 Karma

ikulcsar
Communicator

Hi,

I saw that docs, not too much:(

Just a little note:
- After restoring the (index) configuration it needs to make an indexer rolling restart in order to access the old data.
- I think the "orphaned" index live forever on the indexers...
- The docs say nothing how I should delete an index in a clustered environment. There are several ways I know but mostly is a manual job.

Regards,
István

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...