Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with my [Smartstore] and bucket deletion query?

rbal_splunk
Splunk Employee
Splunk Employee
‎11-14-2018 05:23 PM

We are using http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/SmartStorearchitecture

We are seeing some corrupt buckets as they missing a rawdata directory. They’re unrecoverable, and they won’t expire for a long time. They also error in the UI whenever a search hits them. There a suggested way to freeze or remove these buckets in an S2 friendly way that will clean them from the S3 remote store as well?

They are the broken both in the remote store and in the cache.
Ultimately, I want to know if there is a “correct” way to remove this bucket, short of manual removal of the files on the indexer and our remote store.
If there isn’t a correct way, I’ll sort out the manual steps.

Do we have a command to remove the bucket from Splunk cache and remote in oneshot?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rbal_splunk
Splunk Employee
Splunk Employee
‎11-14-2018 05:25 PM

1) Here is example to remove bucket from remote store.

/opt/splunk/bin/splunk cmd splunkd rfs -- rm --starts-with bucket:sos~0~F66111A5-B9F9-407B-8350-A17FE27FF4C0"

Also read somewhere if your bucket is versioning enabled and you REALLY want the data gone, it would be better to use rmV, which will remove all revisions of the objects.

2)also need to clean all bucket locally eaxmple:

/opt/splunk/bin/splunk clean eventdata -f -index sos

3)To remove bucket both locally and remotely

/opt/splunk/bin/splunk clean eventdata -f -index sos --remote=true

Note: This command is very different from remove_all master endpoint removes off copies of a single bucket in a cluster but leaves the buckets untouched on s3

4) ( for Smartstore env) To remove the bucket from everywhere ( i.e locally, from cache manager and remote store ) use REST cli

curl -k -u admin:password https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97E... -X POST

As documented in https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTcluster look under -cluster/master/buckets/{bucket_id}/remove_all

View solution in original post

Reply
Solved! Jump to solution
Solution

rbal_splunk
Splunk Employee
Splunk Employee
‎11-14-2018 05:25 PM

1) Here is example to remove bucket from remote store.

/opt/splunk/bin/splunk cmd splunkd rfs -- rm --starts-with bucket:sos~0~F66111A5-B9F9-407B-8350-A17FE27FF4C0"

Also read somewhere if your bucket is versioning enabled and you REALLY want the data gone, it would be better to use rmV, which will remove all revisions of the objects.

2)also need to clean all bucket locally eaxmple:

/opt/splunk/bin/splunk clean eventdata -f -index sos

3)To remove bucket both locally and remotely

/opt/splunk/bin/splunk clean eventdata -f -index sos --remote=true

Note: This command is very different from remove_all master endpoint removes off copies of a single bucket in a cluster but leaves the buckets untouched on s3

4) ( for Smartstore env) To remove the bucket from everywhere ( i.e locally, from cache manager and remote store ) use REST cli

curl -k -u admin:password https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97E... -X POST

As documented in https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTcluster look under -cluster/master/buckets/{bucket_id}/remove_all

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎01-15-2019 02:28 PM

@rbal_splunk please accept your answer as well. Thanks

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...