Getting Data In

How is data handled with indexes.conf when the index is removed?

matthewssa
Path Finder

Hello!

I stumbled across something interesting today while removing a test indexer from a deployment server. It removed my indexes.conf which made all of my data not searchable. That makes sense so I added it back thinking that I would have no more data but to my surprise all of the data was still there! We regularly remove indexes when it is no longer needed but thought that data would be purged when it was removed from indexes.conf. This brought on some concern when we saw that it was still available.

Assuming I have 10gb of space for data. 5gb set to index_01 and 5gb set to index_02. If I removed index_02 from indexes.conf and expanded index_01 to 10gb, then what happens to the index_02 data? Will index_01 still only be capped at 5gb since index_02 is still technically on the physical disk or will it eventually overwrite any data that is not inside the indexes.conf?

1 Solution

somesoni2
Revered Legend

If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...

An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.

View solution in original post

0 Karma

somesoni2
Revered Legend

If you want to remove an index and also want to remove indexed data, please follow procedure from this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Indexer/RemovedatafromSplunk#Remove_an_index_enti...

An index removed from indexes.conf doesn't free up the disk space utilized by the index. This feature is helpful to avoid accidental deletion of data which you mistyped index names in indexes.conf.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...