Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it OK to manually delete unused warm buckets on my IDX?

ezmo1982
Path Finder
‎10-20-2021 05:27 AM

Hi,

My Splunk environment is on-prem. I have a single IDX which runs RHEL on a physical stand-alone server. Indexes are stored on a RAID 5 disk configuration on the same server.

My disk is starting to fill up and I was wondering if is is possible to manually delete older warm bucket files on my IDX (basically running an rm linux command)? The indexes in question are not being used/written to any more, so I dont need to search/access them again.

Is this OK to do? Will it create any inconsistency issues or errors in my Splunk env?

Thanks. 

Labels (1)
Labels
0 Karma
Reply

ezmo1982
Path Finder
‎10-29-2021 05:57 AM

i have retention policies set up on my indexes. It is based on age. It is set for all index types and i dont want to set up retention policies for individual ones. But i just want to know if manually deleting warm buckets cause any issues?

0 Karma
Reply

somesoni2
Revered Legend
‎10-20-2021 07:29 AM

Why not setup appropriate retention policies on your indexes (since you do not use/search old data), so that Splunk will automatically take care of the cleaning up space. You can setup retention based on age of data OR total size of index.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Setaretirementandarchivingpolicy

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...