Getting Data In

unable to delete indexes

Path Finder

Hi, I am following the below steps from splunk documentation to delete indexes:

  1. Look through all inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you want to delete. In other words, if you want to delete an index called "nogood", make sure the following attribute/value pair does not appear in any of your input stanzas: index=nogood.

  2. Stop the indexer.

  3. Edit indexes.conf and remove the entire stanza for the index you want to delete.

  4. Start the indexer.

http://docs.splunk.com/Documentation/Splunk/latest/admin/RemovedatafromSplunk#Delete_an_index_entire...

In setp 3, the indexes.conf does not have any stanza's for the indexes I carated and I want to delete. I contains some default indexes only. I have checked indexes.conf both at /apps/splunk/etc/system/default and local. The indexes.conf at /apps/splunk/etc/system/local/ looks like:

[_audit]
disabled = 0

[_blocksignature]
disabled = 0

[_internal]
disabled = 0

[_thefishbucket]
disabled = 0

[history]
disabled = 1

How can I delete indexes?

Thanks,

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

There is more than one indexes.conf file. If you're seeing them in the web GUI, they exist in an indexes.conf file someplace. If you're running a linux box, from $SPLUNK_HOME/etc, you can do something like 'find . -name indexes.conf | xargs grep nogood'. But if it didn't exist in indexes.conf, someplace, btool wouldn't read it and you wouldn't have it in the GUI.

View solution in original post

Splunk Employee
Splunk Employee

There is more than one indexes.conf file. If you're seeing them in the web GUI, they exist in an indexes.conf file someplace. If you're running a linux box, from $SPLUNK_HOME/etc, you can do something like 'find . -name indexes.conf | xargs grep nogood'. But if it didn't exist in indexes.conf, someplace, btool wouldn't read it and you wouldn't have it in the GUI.

View solution in original post

Path Finder

Thanks, got it solved. the indexes.conf I was looking for was at /apps/splunk/etc/apps/search/local/indexes.conf. I guess because the indexes were created for search app.

0 Karma

Path Finder

I have created few indexes, for some reason I had to change the names of the indexes. So, I created new indexes with requred names and disabled the old ones. Now, I want to delete the disabled indexes.
I can't see the indexes I created in the indexes.conf file but I can see them in the web front end.

0 Karma

Legend

Where are you still seeing the indexes? What are you trying to accomplish?

0 Karma

Path Finder

Not sure if this will answer your question, but I asked this question a few days ago and the answer I got helped me. It regards cleaning indexes.

here's the post:http://splunk-base.splunk.com/answers/53064/messed-up-input-data-ruiningslowing-down-search

0 Karma

Path Finder

I am trying to delete index compeletely and not just data of index.