I need to figure out the valid command that could be used to delete bucket locally and from a remote store. In the past, we used the command
curl -k -u admin: -X POST https://localhost:8089/services/cluster/master/buckets//remove_all
This commands only delete the bucket locally but bucket continues to exist on remote store.
To remove the bucket from the remote store the cli command is
$SPLUNk_HOME/bin/splunk cmd splunkd rfs -- rmV --starts-with bucket:_audit~2~761A77A2-6676-4BF9-83CD-1CB243ED61BF
Due to just using the "remove_all" to remove the bucket we are in a situation where are present only on remote and not locally.
Also these buckets are not visible to |dbinspect
Here is something that will work -To delete bucket both from remote and locally use
curl -k -u admn:xxxxxxx https://:24711/services/data/indexes/_audit/freeze-buckets -d bucket_ids=_audit~100~33B81190-7EE1-4FCD-AC6D-DC4E3BEF7E1C -X POST
Note:
-Done on indexer
-works on standalone also
-In a cluster environment, the other indexer also would delete the bucket locally
-Suitable for S2 environment taking care of deleting remote bucket
In this case, you will need a cluster to re-discover the bucket that is only present on the remote. The cluster can be bootstrap and it will discover the bucket from remote and download them locally, which will enable them to use |dbinspet and later remove the bucket from both locally and from remote.
bootstrap command
$SPLUNK_HOME/bin/splunk _internal call /services/cluster/master/control/control/init_recreate_index -method POST
bootstrapping would ensure that buckets which are already present in the cluster would not be created again on the cluster.
bootstrapping would just list all the buckets on S3 and would then create the buckets which are not present on the cluster.
It is usually quick as well.
Hence if only missing a few buckets on the cluster, we can initiate bootstrapping and it would create these buckets.
Is also fairly safe / quick to run this for large deployments.
To discover these buckets, bootstrapping is the only option currently. it is not supported per index.
The entire operation is detached from the usual operations of CM - it is safe and quick as well.