Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unable to delete indexes

parth_jec
Path Finder
‎07-18-2012 10:31 AM

Hi, I am following the below steps from splunk documentation to delete indexes:

  1. Look through all inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you want to delete. In other words, if you want to delete an index called "nogood", make sure the following attribute/value pair does not appear in any of your input stanzas: index=nogood.

  2. Stop the indexer.

  3. Edit indexes.conf and remove the entire stanza for the index you want to delete.

  4. Start the indexer.

http://docs.splunk.com/Documentation/Splunk/latest/admin/RemovedatafromSplunk#Delete_an_index_entire...

In setp 3, the indexes.conf does not have any stanza's for the indexes I carated and I want to delete. I contains some default indexes only. I have checked indexes.conf both at /apps/splunk/etc/system/default and local. The indexes.conf at /apps/splunk/etc/system/local/ looks like:

[_audit]
disabled = 0

[_blocksignature]
disabled = 0

[_internal]
disabled = 0

[_thefishbucket]
disabled = 0

[history]
disabled = 1

How can I delete indexes?

Thanks,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-18-2012 03:14 PM

There is more than one indexes.conf file. If you're seeing them in the web GUI, they exist in an indexes.conf file someplace. If you're running a linux box, from $SPLUNK_HOME/etc, you can do something like 'find . -name indexes.conf | xargs grep nogood'. But if it didn't exist in indexes.conf, someplace, btool wouldn't read it and you wouldn't have it in the GUI.

View solution in original post

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-18-2012 03:14 PM

There is more than one indexes.conf file. If you're seeing them in the web GUI, they exist in an indexes.conf file someplace. If you're running a linux box, from $SPLUNK_HOME/etc, you can do something like 'find . -name indexes.conf | xargs grep nogood'. But if it didn't exist in indexes.conf, someplace, btool wouldn't read it and you wouldn't have it in the GUI.

Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-18-2012 03:34 PM

Thanks, got it solved. the indexes.conf I was looking for was at /apps/splunk/etc/apps/search/local/indexes.conf. I guess because the indexes were created for search app.

0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-18-2012 03:09 PM

I have created few indexes, for some reason I had to change the names of the indexes. So, I created new indexes with requred names and disabled the old ones. Now, I want to delete the disabled indexes.
I can't see the indexes I created in the indexes.conf file but I can see them in the web front end.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎07-18-2012 02:58 PM

Where are you still seeing the indexes? What are you trying to accomplish?

0 Karma
Reply
Solved! Jump to solution

monicato
Path Finder
‎07-18-2012 10:50 AM

Not sure if this will answer your question, but I asked this question a few days ago and the answer I got helped me. It regards cleaning indexes.

here's the post:http://splunk-base.splunk.com/answers/53064/messed-up-input-data-ruiningslowing-down-search

0 Karma
Reply
Solved! Jump to solution

parth_jec
Path Finder
‎07-18-2012 02:48 PM

I am trying to delete index compeletely and not just data of index.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...