Splunk Enterprise

Remove KVStore data after deleting collections.conf

ohbuckeyeio
Path Finder

Hello,

Is there a process to remove data from mongo DB when the KVStore's collections.conf and transforms.conf have been previously deleted?

I am making an assumption that the clean command for kvstore requires a collections.conf.  The documentation does not state otherwise.

Thank you.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ohbuckeyeio
Path Finder

Thank you.  I will accept the solution, but might open an SR with Splunk to inquire.  I will follow up when I have more information.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Restart the SH and the data no longer in collections.conf will be removed from the KV Store.

---
If this reply helps you, Karma would be appreciated.

ohbuckeyeio
Path Finder

Thank you for the reply!  This is interesting and brings about a few more questions.

Is it safe to assume this applies to an entire KVStore collection, as well as individual fields within the KVStore?

How does this impact replication in the case of a search head cluster and restarting a single node?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I understand it, restarts apply to individual fields as well.

I don't understand the second question so I don't have an answer for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ohbuckeyeio
Path Finder

My apologies.

If you have a search head cluster with 3 nodes, and one is restarted, that SH performs clean up for the collections.conf items that have been removed. When replication occurs with the other SHs, will it notify its counterparts that those objects should be deleted from them as well?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe it will, but you still should restart those other cluster members.

---
If this reply helps you, Karma would be appreciated.

ohbuckeyeio
Path Finder

Thank you, Rich. 

Last question: Do you know if this is documented anywhere?  I looked in the docs and Splunk Support to no avail.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I have not found any documentation on this.  It's pretty much word-of-mouth so far.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...