Getting Data In

Deleting an index due to index volume exceeded

oranger1426
Explorer

I have a 1 GB license and I would like to delete an index that causes a inflow of huge syslogs, how do I remove it in the Splunk web interface?

Would removing it enable me to search again?

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

To stop the data to come in, delete the input, not the index.
To figure, look at your inputs, the listening ports or the forwarders.
Another technique is to use index time nullQueue filter to drop some events before the indexing (search for this on answers or the docs)

if you remove the index, the buckets will stay on disk (see indexes.conf for the location).
but splunk will refuse to start if you disable the "main" index.
And if this is not the main index, the events will come and you will see an error for missing index all the time.

0 Karma

kristian_kolb
Ultra Champion

No it will not. The license does not work that way. If you have violations you can either apply for a reset license through support, upgrade your existing license or wait until the violations age out. This last may not happen if you constantly receive more logs than your license allows for.

If you can live without the data (which I guess you can, since you want to delete it) it's better to turn off the logging at the source. Otherwise you will send useless stuff over the network only to be handled by an application that will throw them away.

/K

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...