Splunk Enterprise

Remove deleted index cluster data

Path Finder

I removed an index from our clustered environment by changing the indexes.conf on the cluster master and pushing the package. However, the data itself is still on disk. Can I safely delete this manually at this point?

Tags (1)
0 Karma


As this is a clustered environment you're going to need to remove that index on each one of your indexers if you want it to be completely gone. You can put your cluster in maintenance mode and then stop each indexer issue the following command on each one:

 ./splunk clean eventdata <index_name>

If you don't do this on every indexer while in maintenance mode the data will continue to replicate and you'll be playing whack-a-mole.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...