Splunk Enterprise

Remove deleted index cluster data


I removed an index from our clustered environment by changing the indexes.conf on the cluster master and pushing the package. However, the data itself is still on disk. Can I safely delete this manually at this point?

Tags (1)
0 Karma


As this is a clustered environment you're going to need to remove that index on each one of your indexers if you want it to be completely gone. You can put your cluster in maintenance mode and then stop each indexer issue the following command on each one:

 ./splunk clean eventdata <index_name>

If you don't do this on every indexer while in maintenance mode the data will continue to replicate and you'll be playing whack-a-mole.

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...