Splunk Enterprise

Remove deleted index cluster data


I removed an index from our clustered environment by changing the indexes.conf on the cluster master and pushing the package. However, the data itself is still on disk. Can I safely delete this manually at this point?

Tags (1)
0 Karma


As this is a clustered environment you're going to need to remove that index on each one of your indexers if you want it to be completely gone. You can put your cluster in maintenance mode and then stop each indexer issue the following command on each one:

 ./splunk clean eventdata <index_name>

If you don't do this on every indexer while in maintenance mode the data will continue to replicate and you'll be playing whack-a-mole.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...