Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove KVStore data after deleting collections.conf

ohbuckeyeio
Communicator
‎06-02-2021 07:53 AM

Hello,

Is there a process to remove data from mongo DB when the KVStore's collections.conf and transforms.conf have been previously deleted?

I am making an assumption that the clean command for kvstore requires a collections.conf.  The documentation does not state otherwise.

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2021 08:57 AM

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-04-2021 09:12 AM

Thank you.  I will accept the solution, but might open an SR with Splunk to inquire.  I will follow up when I have more information.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2021 08:57 AM

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-02-2021 09:03 AM

Thank you for the reply!  This is interesting and brings about a few more questions.

Is it safe to assume this applies to an entire KVStore collection, as well as individual fields within the KVStore?

How does this impact replication in the case of a search head cluster and restarting a single node?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2021 07:30 AM

As I understand it, restarts apply to individual fields as well.

I don't understand the second question so I don't have an answer for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-03-2021 07:40 AM

My apologies.

If you have a search head cluster with 3 nodes, and one is restarted, that SH performs clean up for the collections.conf items that have been removed. When replication occurs with the other SHs, will it notify its counterparts that those objects should be deleted from them as well?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2021 05:13 PM

I believe it will, but you still should restart those other cluster members.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-04-2021 08:24 AM

Thank you, Rich. 

Last question: Do you know if this is documented anywhere?  I looked in the docs and Splunk Support to no avail.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2021 09:00 AM

I have not found any documentation on this.  It's pretty much word-of-mouth so far.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...