Getting Data In

Is there a way to prevent deletion of indexes?

a212830
Champion

Hi,

We had a "mishap", and a number of indexes ended up getting deleted, due to a bad indexes.conf configuration. I'm wondering is there a way to tell splunk not to delete indexes?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

IIRC, indexes aren't deleted by means of the indexes.conf changing. Instead, the indexes only stop being known by the indexer but the data itself is still on the filesystem. Have you verified that the folder structure is in fact deleted from the filesystem as well?

Deleting typically requires some account and capabilities that you can restrict. If someone goes on the filesystem directly and deletes the index's db folders then there's nothing you can do...just like anything else on the filesystem.

Hopefully that helps?

a212830
Champion

OK. That's certainly a help. Let me look further into this...

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Any update? Did this help?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...