Is it OK to manually delete unused warm buckets on...

ezmo1982 · ‎10-20-2021

Hi,

My Splunk environment is on-prem. I have a single IDX which runs RHEL on a physical stand-alone server. Indexes are stored on a RAID 5 disk configuration on the same server.

My disk is starting to fill up and I was wondering if is is possible to manually delete older warm bucket files on my IDX (basically running an rm linux command)? The indexes in question are not being used/written to any more, so I dont need to search/access them again.

Is this OK to do? Will it create any inconsistency issues or errors in my Splunk env?

Thanks.

ezmo1982 · ‎10-29-2021

i have retention policies set up on my indexes. It is based on age. It is set for all index types and i dont want to set up retention policies for individual ones. But i just want to know if manually deleting warm buckets cause any issues?

somesoni2 · ‎10-20-2021

Why not setup appropriate retention policies on your indexes (since you do not use/search old data), so that Splunk will automatically take care of the cleaning up space. You can setup retention based on age of data OR total size of index.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Setaretirementandarchivingpolicy

Is it OK to manually delete unused warm buckets on my IDX?

administration

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann