Deployment Architecture

Is it possible to delete unreferenced buckets while the Splunk server is running?

bbialek
Path Finder

I'm not sure how it came to be, but it looks like my _internal index's cold path has changed. This left a bunch of cold buckets in the old location which seems unreferenced by any index as seen by | dbinspect index=*.

As noted here:
https://answers.splunk.com/answers/108941/deleting-a-bucket.html#answer-108942
hot/warm/cold buckets should not be removed while the server is running, but in this case, it seems it can be done. Can someone confirm?

0 Karma

ddrillic
Ultra Champion

It would be interesting to see what you get when running -

splunk list excess-buckets _internal

Based on Remove excess bucket copies from the indexer cluster

You probably should be just fine to remove them...

0 Karma

bbialek
Path Finder

The command resulted in "In handler 'clustermasterpeerindexes': master is not enabled on this node".

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...