Knowledge Management

[smartstore] How to delete bucket from local storage and also from remote store?

rbal_splunk
Splunk Employee
Splunk Employee

I need to figure out the valid command that could be used to delete bucket locally and from a remote store. In the past, we used the command

curl -k -u admin: -X POST https://localhost:8089/services/cluster/master/buckets//remove_all

This commands only delete the bucket locally but bucket continues to exist on remote store.

To remove the bucket from the remote store the cli command is
$SPLUNk_HOME/bin/splunk cmd splunkd rfs -- rmV --starts-with bucket:_audit~2~761A77A2-6676-4BF9-83CD-1CB243ED61BF

Due to just using the "remove_all" to remove the bucket we are in a situation where are present only on remote and not locally.
Also these buckets are not visible to |dbinspect

Tags (1)
0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

Here is something that will work -To delete bucket both from remote and locally use

curl -k -u admn:xxxxxxx https://:24711/services/data/indexes/_audit/freeze-buckets -d bucket_ids=_audit~100~33B81190-7EE1-4FCD-AC6D-DC4E3BEF7E1C -X POST

Note:

-Done on indexer
-works on standalone also
-In a cluster environment, the other indexer also would delete the bucket locally
-Suitable for S2 environment taking care of deleting remote bucket

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

In this case, you will need a cluster to re-discover the bucket that is only present on the remote. The cluster can be bootstrap and it will discover the bucket from remote and download them locally, which will enable them to use |dbinspet and later remove the bucket from both locally and from remote.

bootstrap command
$SPLUNK_HOME/bin/splunk _internal call /services/cluster/master/control/control/init_recreate_index -method POST

bootstrapping would ensure that buckets which are already present in the cluster would not be created again on the cluster.
bootstrapping would just list all the buckets on S3 and would then create the buckets which are not present on the cluster.
It is usually quick as well.
Hence if only missing a few buckets on the cluster, we can initiate bootstrapping and it would create these buckets.
Is also fairly safe / quick to run this for large deployments.

To discover these buckets, bootstrapping is the only option currently. it is not supported per index.
The entire operation is detached from the usual operations of CM - it is safe and quick as well.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...