Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove KVStore data after deleting collections.conf

ohbuckeyeio
Communicator
‎06-02-2021 07:53 AM

Hello,

Is there a process to remove data from mongo DB when the KVStore's collections.conf and transforms.conf have been previously deleted?

I am making an assumption that the clean command for kvstore requires a collections.conf.  The documentation does not state otherwise.

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2021 08:57 AM

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-04-2021 09:12 AM

Thank you.  I will accept the solution, but might open an SR with Splunk to inquire.  I will follow up when I have more information.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2021 08:57 AM

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-02-2021 09:03 AM

Thank you for the reply!  This is interesting and brings about a few more questions.

Is it safe to assume this applies to an entire KVStore collection, as well as individual fields within the KVStore?

How does this impact replication in the case of a search head cluster and restarting a single node?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2021 07:30 AM

As I understand it, restarts apply to individual fields as well.

I don't understand the second question so I don't have an answer for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-03-2021 07:40 AM

My apologies.

If you have a search head cluster with 3 nodes, and one is restarted, that SH performs clean up for the collections.conf items that have been removed. When replication occurs with the other SHs, will it notify its counterparts that those objects should be deleted from them as well?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2021 05:13 PM

I believe it will, but you still should restart those other cluster members.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ohbuckeyeio
Communicator
‎06-04-2021 08:24 AM

Thank you, Rich. 

Last question: Do you know if this is documented anywhere?  I looked in the docs and Splunk Support to no avail.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2021 09:00 AM

I have not found any documentation on this.  It's pretty much word-of-mouth so far.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...