Knowledge Management

Can you help me with my [Smartstore] and bucket deletion query?

rbal_splunk
Splunk Employee
Splunk Employee

We are using http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/SmartStorearchitecture

We are seeing some corrupt buckets as they missing a rawdata directory. They’re unrecoverable, and they won’t expire for a long time. They also error in the UI whenever a search hits them. There a suggested way to freeze or remove these buckets in an S2 friendly way that will clean them from the S3 remote store as well?

They are the broken both in the remote store and in the cache.
Ultimately, I want to know if there is a “correct” way to remove this bucket, short of manual removal of the files on the indexer and our remote store.
If there isn’t a correct way, I’ll sort out the manual steps.

Do we have a command to remove the bucket from Splunk cache and remote in oneshot?

0 Karma
1 Solution

rbal_splunk
Splunk Employee
Splunk Employee

1) Here is example to remove bucket from remote store.

/opt/splunk/bin/splunk cmd splunkd rfs -- rm --starts-with bucket:sos~0~F66111A5-B9F9-407B-8350-A17FE27FF4C0"

Also read somewhere if your bucket is versioning enabled and you REALLY want the data gone, it would be better to use rmV, which will remove all revisions of the objects.

2)also need to clean all bucket locally eaxmple:

/opt/splunk/bin/splunk clean eventdata -f -index sos

3)To remove bucket both locally and remotely

/opt/splunk/bin/splunk clean eventdata -f -index sos --remote=true

Note: This command is very different from remove_all master endpoint removes off copies of a single bucket in a cluster but leaves the buckets untouched on s3

4) ( for Smartstore env) To remove the bucket from everywhere ( i.e locally, from cache manager and remote store ) use REST cli

curl -k -u admin:password https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97E... -X POST

As documented in https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTcluster look under -cluster/master/buckets/{bucket_id}/remove_all

View solution in original post

rbal_splunk
Splunk Employee
Splunk Employee

1) Here is example to remove bucket from remote store.

/opt/splunk/bin/splunk cmd splunkd rfs -- rm --starts-with bucket:sos~0~F66111A5-B9F9-407B-8350-A17FE27FF4C0"

Also read somewhere if your bucket is versioning enabled and you REALLY want the data gone, it would be better to use rmV, which will remove all revisions of the objects.

2)also need to clean all bucket locally eaxmple:

/opt/splunk/bin/splunk clean eventdata -f -index sos

3)To remove bucket both locally and remotely

/opt/splunk/bin/splunk clean eventdata -f -index sos --remote=true

Note: This command is very different from remove_all master endpoint removes off copies of a single bucket in a cluster but leaves the buckets untouched on s3

4) ( for Smartstore env) To remove the bucket from everywhere ( i.e locally, from cache manager and remote store ) use REST cli

curl -k -u admin:password https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97E... -X POST

As documented in https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTcluster look under -cluster/master/buckets/{bucket_id}/remove_all

gjanders
SplunkTrust
SplunkTrust

@rbal_splunk please accept your answer as well. Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...