Splunk Enterprise

Remove deleted index cluster data

jcrosby21
Explorer

I removed an index from our clustered environment by changing the indexes.conf on the cluster master and pushing the package. However, the data itself is still on disk. Can I safely delete this manually at this point?

Tags (1)
0 Karma

ryanoconnor
Builder

As this is a clustered environment you're going to need to remove that index on each one of your indexers if you want it to be completely gone. You can put your cluster in maintenance mode and then stop each indexer issue the following command on each one:

 ./splunk clean eventdata <index_name>

If you don't do this on every indexer while in maintenance mode the data will continue to replicate and you'll be playing whack-a-mole.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...