- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[smartstore] How to delete bucket from local storage and also from remote store?
data:image/s3,"s3://crabby-images/d3347/d334703afb9bf63c7e394bcc57339c603c832da2" alt="rbal_splunk rbal_splunk"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
I need to figure out the valid command that could be used to delete bucket locally and from a remote store. In the past, we used the command
curl -k -u admin: -X POST https://localhost:8089/services/cluster/master/buckets//remove_all
This commands only delete the bucket locally but bucket continues to exist on remote store.
To remove the bucket from the remote store the cli command is
$SPLUNk_HOME/bin/splunk cmd splunkd rfs -- rmV --starts-with bucket:_audit~2~761A77A2-6676-4BF9-83CD-1CB243ED61BF
Due to just using the "remove_all" to remove the bucket we are in a situation where are present only on remote and not locally.
Also these buckets are not visible to |dbinspect
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d3347/d334703afb9bf63c7e394bcc57339c603c832da2" alt="rbal_splunk rbal_splunk"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Here is something that will work -To delete bucket both from remote and locally use
curl -k -u admn:xxxxxxx https://:24711/services/data/indexes/_audit/freeze-buckets -d bucket_ids=_audit~100~33B81190-7EE1-4FCD-AC6D-DC4E3BEF7E1C -X POST
Note:
-Done on indexer
-works on standalone also
-In a cluster environment, the other indexer also would delete the bucket locally
-Suitable for S2 environment taking care of deleting remote bucket
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d3347/d334703afb9bf63c7e394bcc57339c603c832da2" alt="rbal_splunk rbal_splunk"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
In this case, you will need a cluster to re-discover the bucket that is only present on the remote. The cluster can be bootstrap and it will discover the bucket from remote and download them locally, which will enable them to use |dbinspet and later remove the bucket from both locally and from remote.
bootstrap command
$SPLUNK_HOME/bin/splunk _internal call /services/cluster/master/control/control/init_recreate_index -method POST
bootstrapping would ensure that buckets which are already present in the cluster would not be created again on the cluster.
bootstrapping would just list all the buckets on S3 and would then create the buckets which are not present on the cluster.
It is usually quick as well.
Hence if only missing a few buckets on the cluster, we can initiate bootstrapping and it would create these buckets.
Is also fairly safe / quick to run this for large deployments.
To discover these buckets, bootstrapping is the only option currently. it is not supported per index.
The entire operation is detached from the usual operations of CM - it is safe and quick as well.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""