Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index=perfmon deleted but still data is coming in

vrmandadi
Builder
‎01-31-2020 01:15 PM

We get performance monitor data from windows_ta and windows_ta_dns ..We no longer need the data and dont care about old data.I removed the index from cluster master and reloaded across the cluster but i still see data coming.What are the other locations to check to see from where this index is created.Secondly , how to delete all the data in the indexers from the index=perfmon .Is itgoing to /opt/splunk/var/lib/splunk and look for the perfmon directory and delete on each indexer.

Thanks in Advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2020 01:35 PM

Removing indexes will not stop data from coming in, it just gives that data no place to go (unless you have a lastchance index defined).

Go through the deployment-apps directory on your deployment server and disable the perfmon inputs you find there. Remove entire apps if you no longer need them. Reload the deployment server and the inputs should stop in a few minutes after all the forwarders phone home.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vrmandadi
Builder
‎01-31-2020 01:44 PM

Helli @richgalloway .I checked the deployment server and disabled all the inputs (disabled=1) but I still see data .What are the other possible locations for perfmon data and I want to clear the disk space on indexers.How can I delete the data for perfmon data.Please advice

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2020 02:32 PM

Verify the disabled inputs have been loaded by the forwarders by signing in to some of them and running splunk btool inputs list.

If by "see data" you mean you can still search for it then that will be the case until you delete the relevant index(es) or the data ages out. Your search for the data should show the index(es) in which the data resides (use Verbose Mode), which will tell you the indexes to remove.

See https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/RemovedatafromSplunk#Remove_an_index_enti... for how to remove an index, but it sounds like you are doing it right.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vrmandadi
Builder
‎01-31-2020 03:19 PM

Ya I can still search data now.I mean data is still coming for that index.I deleted that index from cluster master and reloaded across the cluster members .But it is still getting data.I am not understanding from where this index is configured .The other thing I observed is the add-on splunk_ta_windows splunk_windows_ta_dns have indexes.conf file in the default directory which have the perfmon index in it.I created a local file and removed the index in it.Then I see that the difference .But my question is does the ta still keep sending the data when index is removed.Does it caused the forwarders filling the queue

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2020 05:24 AM

Please re-read my answer. Removing indexes does not stop data from coming in. You must modify inputs.conf to stop the input.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...