- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- What are the steps to remove data from an indexer ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to Splunk, could you please help?
I have a Splunk cluster - 1 Master(also the license master), 3 node indexer cluster, 1 search head. I want to delete data in a specific index
Could you please verify if the following steps are correct to delete event data?
On the Master Node : put cluster in maintenance mode
stop indexers - splunk stop on each indexer
remove data using the command splunk clean eventdate -index xyz - where do I run this command - on each indexer node ?
start indexers - splunk start on each indexer
On Master Node : disable Maintenance node
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
your approach will be very tough to achieve.
below is an approach wit no downtime, no maintenance mode and no indexers access
steps to remove all data:
1. stop data sources for that index from sending data to that particular index (modify relevant input.conf on source)
2. in the cluster master, find the app that has the relevant index configuration (indexes.conf)
3. find the relevant [stanza] index name
4. modify (or add) frozenTimePeriodInSecs and give it minimal value, like 10 or 60
5. push the configuration to the indexers $SPLUNK_HONE/bin/splunk apply cluster-bundle
6. watch the sunset as your data fades away.
7. if you need the index for new data, modify the config you changed earlier to desired value and apply cluster bundle again
essentially what you are doing, is telling Splunk to freeze all events older than 10 seconds
splunk will remove data very very fast, make sure you changed the value on the right index [stanza] there is no coming back from this one.
lastly verify that you dont have cold to frozen script or configuration, as all your data will be shipped somewhere else.
hope it helps and please let us know how it worked for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot... That worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
your approach will be very tough to achieve.
below is an approach wit no downtime, no maintenance mode and no indexers access
steps to remove all data:
1. stop data sources for that index from sending data to that particular index (modify relevant input.conf on source)
2. in the cluster master, find the app that has the relevant index configuration (indexes.conf)
3. find the relevant [stanza] index name
4. modify (or add) frozenTimePeriodInSecs and give it minimal value, like 10 or 60
5. push the configuration to the indexers $SPLUNK_HONE/bin/splunk apply cluster-bundle
6. watch the sunset as your data fades away.
7. if you need the index for new data, modify the config you changed earlier to desired value and apply cluster bundle again
essentially what you are doing, is telling Splunk to freeze all events older than 10 seconds
splunk will remove data very very fast, make sure you changed the value on the right index [stanza] there is no coming back from this one.
lastly verify that you dont have cold to frozen script or configuration, as all your data will be shipped somewhere else.
hope it helps and please let us know how it worked for you
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
