After changing data retention, why is indexes.conf...

kiran331 · ‎11-28-2016

Hi

I have changed the data retention and pushed the bundle from the cluster master. In 2 indexers, the data got deleted but in one indexer, it's still the same. The indexes.conf in the slave-apps is same on all 3 indexers. What changes do I have to make so that the indexer will remove data from the cold buckets of one index?

Splunk version - 6.4.2

dxu_splunk · ‎11-28-2016

try using btool to figure out which file is providing which configuration.

bin/splunk btool indexes list INDEX_IN_QUESTION --debug

kiran331 · ‎11-29-2016

it shows the correct file and its same on other 2 indexers, the issue is only for that one index.

vasanthmss · ‎11-28-2016

hope the below debugging steps will helps you,

run this on cluster master, /opt/splunk/bin/splunk show cluster-bundle-status and validate the bundle status. all indexers should have the same bundle id and time.
keep the cluster master in maintenance mode /opt/splunk/bin/splunk enable maintenance-mode and restart all the indexers. hopefully this will fix the issue. then disable the maintenance mode /opt/splunk/bin/splunk disable maintenance-mode

Cheers!!

V

kiran331 · ‎11-28-2016

Hi Vasanthmss, thanks for your response, I tried restarting all indexers, one indexer is still same.

vasanthmss · ‎11-28-2016

check the other indexers, etc/system/* and etc/apps/*

Seems like other stanza overriding your bundle priority.

V

After changing data retention, why is indexes.conf not working on one indexer?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...