Splunk Enterprise

Is it OK to manually delete unused warm buckets on my IDX?

Path Finder


My Splunk environment is on-prem. I have a single IDX which runs RHEL on a physical stand-alone server. Indexes are stored on a RAID 5 disk configuration on the same server.

My disk is starting to fill up and I was wondering if is is possible to manually delete older warm bucket files on my IDX (basically running an rm linux command)? The indexes in question are not being used/written to any more, so I dont need to search/access them again.

Is this OK to do? Will it create any inconsistency issues or errors in my Splunk env?


Labels (1)
0 Karma

Path Finder

i have retention policies set up on my indexes. It is based on age. It is set for all index types and i dont want to set up retention policies for individual ones. But i just want to know if manually deleting warm buckets cause any issues?

0 Karma

Revered Legend

Why not setup appropriate retention policies on your indexes (since you do not use/search old data), so that Splunk will automatically take care of the cleaning up space. You can setup retention based on age of data OR total size of index.


0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...