Splunk Enterprise

How to completely delete an index and remove it from the list of indexes that show up in splunkweb's manager >> indexes page?

rayfoo
Path Finder

Googling for "splunk delete index" turns up

http://www.splunk.com/base/Documentation/3.3/User/DeleteAnIndex

Which gives this error when I use it in CLI

Command error: This command has been removed.

How do we delete an index in 4.1.3?

edit: I'm not referring to cleaning eventdata from an index, for which Lowell's and Nicholas' answers would be correct. (Thanks though!) I'm referring to actually deleting an index from Splunk, so that it actually is removed from the indexes list in the Manager.

Tags (1)
1 Solution

Genti
Splunk Employee
Splunk Employee

rayfoo,

go to Manager » Indexes and find your index there. Go ahead and Disable this index. Make sure you have removed all input.conf stanzas that monitor data and send it to this particular index.

Once finished, restart splunk. Check to make sure that the index got disabled. Then to completely delete/remove the index go to $SPLUNK_DB/INDEX_NAME/ and either delete or move this index to a different folder.

Then, go and find where the stanza for the particular index that you want to delete got saved in your indexes.conf.

You can check /etc/system/local or /etc/apps/search/local/ or even /etc/apps/launcher/local/ Find and remove the stanza that is relevant to your index (the one you want to delete) Should look something like this:

[test]
coldPath = $SPLUNK_DB/test/colddb
homePath = $SPLUNK_DB/test/db
thawedPath = $SPLUNK_DB/test/thaweddb
disabled = 1

Then restart splunk again. I believe this should be enough for you to "delete" the index and not have it show up in the indexes list on your manager page.

Cheers,
.gz

View solution in original post

christantoy
Path Finder

This would be help!!

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk

Just ready carefully... and always backup your files!!

Regards
Cris

0 Karma

mohitvohra109
Explorer

Hi bmnguyen,

Even i have been facing this issue (on Splunk 4.1.6) but have found only few links useful, sharing them here, hope they might help:

  1. Tells how to delete an index in 4.2 and above versions: http://www.splunk.com/base/Documentation/4.2.1/Admin/RemovedatafromSplunk

  2. indexes.conf file - good to know how the indexes are listed there. Link: http://www.splunk.com/base/Documentation/4.2.1/admin/Indexesconf

Hope these two links help. Do let me know if these helped you in resolving your issue or not.

Regards,

Mohit Vohra.

0 Karma

bmnguyen
Explorer

Never mind! I found the instructions for Splunk 4.2.1 to remove indexed data and completely delete the index.

Follow the links below:

Remove indexed data from Splunk

Completely delete an index (and not just the data contained in it)

It seems to be obvious once you know it, but before then, general instructions were so vague.

Thanks

bmnguyen
Explorer

It is now May 7, 2011, and I am using Splunk 4.2 build 96430. Does anyone have the answer? I am new to Splunk and learning how to develop apps and to manage the system.

I have followed the instruction above to remove an index. (Well, sort of! The instruction doesn't explictly spell out the "relevant index.conf" and the "all input.conf"). I located and viewed ALL index.conf and input.conf files under the $SPLUNK_HOME directory tree, but I found no trace of related stanzas or settings. Regardless of all my effords, the web screen at Splunk >> Manager >> Indexes still lists the index. Uh!

On the other hand, I used the CLI to remove, but it returned a message, "Command error: This command has been removed."

I wonder why the "splunk remove index {Index_Name}" command has been removed and why this version of Splunk has made a step backward, compared to the previous versions.

The system seems to be OK with the disabled index, but I want to tidy up my system.

I greatly appreciate any help I can get.
Thanks

0 Karma

jduraes
Explorer

I'm sorry to revive this thread, but as of 4.2.1, it still seems like it is still not possible to remove/delete an index using the UI or CLI.

I find it somewhat bizarre that such feature just does not exist. I'm quite curious about it, as surely there must be a good reason for that.

Anyone knows why?

thx

0 Karma

rayfoo
Path Finder

Yeps, refer to Genti's answer which I chose, right at the top of this section.

mctester
Communicator

Not sure why the debate is still ongoing, Genti's answer above contains all the information you need to remove an index

  1. Disable the index via Manager
  2. Manually remove the data from disk and the entry from the relevant indexes.conf if desired

There is no feature to completely remove an index via the UI or the CLI

0 Karma

esanz07
Explorer

Has this question been answered?

How do you delete and index (completelly) from Splunk 4.1.3 (not just clear events).

Raj, did you get an answer to the question? I tried the old procedure, but the index is still visible (although disabled).

0 Karma

Genti
Splunk Employee
Splunk Employee

rayfoo,

go to Manager » Indexes and find your index there. Go ahead and Disable this index. Make sure you have removed all input.conf stanzas that monitor data and send it to this particular index.

Once finished, restart splunk. Check to make sure that the index got disabled. Then to completely delete/remove the index go to $SPLUNK_DB/INDEX_NAME/ and either delete or move this index to a different folder.

Then, go and find where the stanza for the particular index that you want to delete got saved in your indexes.conf.

You can check /etc/system/local or /etc/apps/search/local/ or even /etc/apps/launcher/local/ Find and remove the stanza that is relevant to your index (the one you want to delete) Should look something like this:

[test]
coldPath = $SPLUNK_DB/test/colddb
homePath = $SPLUNK_DB/test/db
thawedPath = $SPLUNK_DB/test/thaweddb
disabled = 1

Then restart splunk again. I believe this should be enough for you to "delete" the index and not have it show up in the indexes list on your manager page.

Cheers,
.gz

Nicholas_Key
Splunk Employee
Splunk Employee

try this rayfoo:

./splunk clean eventdata <indexName> -f

or this:

./splunk clean eventdata -index <indexName> -f

By the way, are you trying to remove the events from that particular index? Or are you trying to moving the index to another directory?

rayfoo
Path Finder

Thanks, but I'm not referring to cleaning eventdata (pls ref to my edit in the qn above)

0 Karma

Lowell
Super Champion

Your doc is pointing to the 3.3 release of splunk, which is not relevant to 4.1. Use this link instead:

http://docs.splunk.com/Documentation/Splunk/4.1/Admin/RemovedatafromSplunk

rayfoo
Path Finder

Thanks, but I'm not referring to cleaning eventdata (pls ref to my edit in the qn above)

0 Karma

Genti
Splunk Employee
Splunk Employee

yeap, Lowell is right: * To permanently remove event data from a single index, type:

  ./splunk clean eventdata <index_name>

  where <index_name> is the name of the targeted index.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...