Splunk Enterprise

Remove KVStore data after deleting collections.conf

ohbuckeyeio
Path Finder

Hello,

Is there a process to remove data from mongo DB when the KVStore's collections.conf and transforms.conf have been previously deleted?

I am making an assumption that the clean command for kvstore requires a collections.conf.  The documentation does not state otherwise.

Thank you.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ohbuckeyeio
Path Finder

Thank you.  I will accept the solution, but might open an SR with Splunk to inquire.  I will follow up when I have more information.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

ohbuckeyeio
Path Finder

Thank you for the reply!  This is interesting and brings about a few more questions.

Is it safe to assume this applies to an entire KVStore collection, as well as individual fields within the KVStore?

How does this impact replication in the case of a search head cluster and restarting a single node?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I understand it, restarts apply to individual fields as well.

I don't understand the second question so I don't have an answer for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ohbuckeyeio
Path Finder

My apologies.

If you have a search head cluster with 3 nodes, and one is restarted, that SH performs clean up for the collections.conf items that have been removed. When replication occurs with the other SHs, will it notify its counterparts that those objects should be deleted from them as well?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe it will, but you still should restart those other cluster members.

---
If this reply helps you, Karma would be appreciated.

ohbuckeyeio
Path Finder

Thank you, Rich. 

Last question: Do you know if this is documented anywhere?  I looked in the docs and Splunk Support to no avail.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I have not found any documentation on this.  It's pretty much word-of-mouth so far.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...