Splunk Enterprise

Remove KVStore data after deleting collections.conf

ohbuckeyeio
Communicator

Hello,

Is there a process to remove data from mongo DB when the KVStore's collections.conf and transforms.conf have been previously deleted?

I am making an assumption that the clean command for kvstore requires a collections.conf.  The documentation does not state otherwise.

Thank you.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ohbuckeyeio
Communicator

Thank you.  I will accept the solution, but might open an SR with Splunk to inquire.  I will follow up when I have more information.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

ohbuckeyeio
Communicator

Thank you for the reply!  This is interesting and brings about a few more questions.

Is it safe to assume this applies to an entire KVStore collection, as well as individual fields within the KVStore?

How does this impact replication in the case of a search head cluster and restarting a single node?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I understand it, restarts apply to individual fields as well.

I don't understand the second question so I don't have an answer for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ohbuckeyeio
Communicator

My apologies.

If you have a search head cluster with 3 nodes, and one is restarted, that SH performs clean up for the collections.conf items that have been removed. When replication occurs with the other SHs, will it notify its counterparts that those objects should be deleted from them as well?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe it will, but you still should restart those other cluster members.

---
If this reply helps you, Karma would be appreciated.

ohbuckeyeio
Communicator

Thank you, Rich. 

Last question: Do you know if this is documented anywhere?  I looked in the docs and Splunk Support to no avail.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I have not found any documentation on this.  It's pretty much word-of-mouth so far.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...