Knowledge Management

[smartstore] How to delete bucket from local storage and also from remote store?

rbal_splunk
Splunk Employee
Splunk Employee

I need to figure out the valid command that could be used to delete bucket locally and from a remote store. In the past, we used the command

curl -k -u admin: -X POST https://localhost:8089/services/cluster/master/buckets//remove_all

This commands only delete the bucket locally but bucket continues to exist on remote store.

To remove the bucket from the remote store the cli command is
$SPLUNk_HOME/bin/splunk cmd splunkd rfs -- rmV --starts-with bucket:_audit~2~761A77A2-6676-4BF9-83CD-1CB243ED61BF

Due to just using the "remove_all" to remove the bucket we are in a situation where are present only on remote and not locally.
Also these buckets are not visible to |dbinspect

Tags (1)
0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

Here is something that will work -To delete bucket both from remote and locally use

curl -k -u admn:xxxxxxx https://:24711/services/data/indexes/_audit/freeze-buckets -d bucket_ids=_audit~100~33B81190-7EE1-4FCD-AC6D-DC4E3BEF7E1C -X POST

Note:

-Done on indexer
-works on standalone also
-In a cluster environment, the other indexer also would delete the bucket locally
-Suitable for S2 environment taking care of deleting remote bucket

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

In this case, you will need a cluster to re-discover the bucket that is only present on the remote. The cluster can be bootstrap and it will discover the bucket from remote and download them locally, which will enable them to use |dbinspet and later remove the bucket from both locally and from remote.

bootstrap command
$SPLUNK_HOME/bin/splunk _internal call /services/cluster/master/control/control/init_recreate_index -method POST

bootstrapping would ensure that buckets which are already present in the cluster would not be created again on the cluster.
bootstrapping would just list all the buckets on S3 and would then create the buckets which are not present on the cluster.
It is usually quick as well.
Hence if only missing a few buckets on the cluster, we can initiate bootstrapping and it would create these buckets.
Is also fairly safe / quick to run this for large deployments.

To discover these buckets, bootstrapping is the only option currently. it is not supported per index.
The entire operation is detached from the usual operations of CM - it is safe and quick as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...