Deployment Architecture

Why is the "splunk remove excess-buckets [index-name]" command not working (GUI or CLI) in our multisite indexer cluster?

Ankitha_d
Path Finder

The splunk remove excess-buckets [index-name] command is not clearing all the excess buckets.
Have tried to clear from GUI and command line as well.
The buckets do not get cleared even after refreshing multiple types (keeping asynchronous operation in mind)

Is multisite indexer clustering creating a problem in this case?

Please help.

0 Karma
1 Solution

stanwin
Contributor

on a similar multisite related issue.. similar behaviour for the delete operator in my environment.

The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.

Had to manually run delete on the other site.

6.2.3 build 264376

View solution in original post

0 Karma

muizash
Path Finder

While the data is rebalancing, you cannot remove excess buckets. Splunk has this limitation clearly mentioned in their document.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Removeextrabucketcopies

rbal_splunk
Splunk Employee
Splunk Employee

For '|delete' to work in Splunk Indexed Clustered environment it is required that management for is open between on Cluster peers across sites.

stanwin
Contributor

Thanks for the reply Rbal!

but could you elaborate on the 'management is open' part please?

The cluster master should be able to coordinate this across the sites, shouldnt it?

0 Karma

stanwin
Contributor

on a similar multisite related issue.. similar behaviour for the delete operator in my environment.

The |delete operator cleared data from one site, but data in the other multisite indexer was unaffected (i waited a long while >1.5 hours as the docs mention it may take a while..). The dataset was quite low & shouldnt have taken so long.

Had to manually run delete on the other site.

6.2.3 build 264376

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...