Solved: Can you help me with my [Smartstore] and bucket de...

rbal_splunk · ‎11-14-2018

We are using http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/SmartStorearchitecture

We are seeing some corrupt buckets as they missing a rawdata directory. They’re unrecoverable, and they won’t expire for a long time. They also error in the UI whenever a search hits them. There a suggested way to freeze or remove these buckets in an S2 friendly way that will clean them from the S3 remote store as well?

They are the broken both in the remote store and in the cache.
Ultimately, I want to know if there is a “correct” way to remove this bucket, short of manual removal of the files on the indexer and our remote store.
If there isn’t a correct way, I’ll sort out the manual steps.

Do we have a command to remove the bucket from Splunk cache and remote in oneshot?

rbal_splunk · ‎11-14-2018

1) Here is example to remove bucket from remote store.

/opt/splunk/bin/splunk cmd splunkd rfs -- rm --starts-with bucket:sos~0~F66111A5-B9F9-407B-8350-A17FE27FF4C0"

Also read somewhere if your bucket is versioning enabled and you REALLY want the data gone, it would be better to use rmV, which will remove all revisions of the objects.

2)also need to clean all bucket locally eaxmple:

/opt/splunk/bin/splunk clean eventdata -f -index sos

3)To remove bucket both locally and remotely

/opt/splunk/bin/splunk clean eventdata -f -index sos --remote=true

Note: This command is very different from remove_all master endpoint removes off copies of a single bucket in a cluster but leaves the buckets untouched on s3

4) ( for Smartstore env) To remove the bucket from everywhere ( i.e locally, from cache manager and remote store ) use REST cli

curl -k -u admin:password https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97E... -X POST

As documented in https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTcluster look under -cluster/master/buckets/{bucket_id}/remove_all

View solution in original post

rbal_splunk · ‎11-14-2018

1) Here is example to remove bucket from remote store.

/opt/splunk/bin/splunk cmd splunkd rfs -- rm --starts-with bucket:sos~0~F66111A5-B9F9-407B-8350-A17FE27FF4C0"

Also read somewhere if your bucket is versioning enabled and you REALLY want the data gone, it would be better to use rmV, which will remove all revisions of the objects.

2)also need to clean all bucket locally eaxmple:

/opt/splunk/bin/splunk clean eventdata -f -index sos

3)To remove bucket both locally and remotely

/opt/splunk/bin/splunk clean eventdata -f -index sos --remote=true

Note: This command is very different from remove_all master endpoint removes off copies of a single bucket in a cluster but leaves the buckets untouched on s3

4) ( for Smartstore env) To remove the bucket from everywhere ( i.e locally, from cache manager and remote store ) use REST cli

curl -k -u admin:password https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97E... -X POST

As documented in https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTcluster look under -cluster/master/buckets/{bucket_id}/remove_all

gjanders · ‎01-15-2019

@rbal_splunk please accept your answer as well. Thanks

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Can you help me with my [Smartstore] and bucket deletion query?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk