Solved: Re: unable to delete indexes

parth_jec · ‎07-18-2012

Hi, I am following the below steps from splunk documentation to delete indexes:

Look through all inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you want to delete. In other words, if you want to delete an index called "nogood", make sure the following attribute/value pair does not appear in any of your input stanzas: index=nogood.
Stop the indexer.
Edit indexes.conf and remove the entire stanza for the index you want to delete.
Start the indexer.

http://docs.splunk.com/Documentation/Splunk/latest/admin/RemovedatafromSplunk#Delete_an_index_entire...

In setp 3, the indexes.conf does not have any stanza's for the indexes I carated and I want to delete. I contains some default indexes only. I have checked indexes.conf both at /apps/splunk/etc/system/default and local. The indexes.conf at /apps/splunk/etc/system/local/ looks like:

[_audit]
disabled = 0

[_blocksignature]
disabled = 0

[_internal]
disabled = 0

[_thefishbucket]
disabled = 0

[history]
disabled = 1

How can I delete indexes?

Thanks,

jbsplunk · ‎07-18-2012

There is more than one indexes.conf file. If you're seeing them in the web GUI, they exist in an indexes.conf file someplace. If you're running a linux box, from $SPLUNK_HOME/etc, you can do something like 'find . -name indexes.conf | xargs grep nogood'. But if it didn't exist in indexes.conf, someplace, btool wouldn't read it and you wouldn't have it in the GUI.

View solution in original post

jbsplunk · ‎07-18-2012

There is more than one indexes.conf file. If you're seeing them in the web GUI, they exist in an indexes.conf file someplace. If you're running a linux box, from $SPLUNK_HOME/etc, you can do something like 'find . -name indexes.conf | xargs grep nogood'. But if it didn't exist in indexes.conf, someplace, btool wouldn't read it and you wouldn't have it in the GUI.

parth_jec · ‎07-18-2012

Thanks, got it solved. the indexes.conf I was looking for was at /apps/splunk/etc/apps/search/local/indexes.conf. I guess because the indexes were created for search app.

parth_jec · ‎07-18-2012

I have created few indexes, for some reason I had to change the names of the indexes. So, I created new indexes with requred names and disabled the old ones. Now, I want to delete the disabled indexes.
I can't see the indexes I created in the indexes.conf file but I can see them in the web front end.

Ayn · ‎07-18-2012

Where are you still seeing the indexes? What are you trying to accomplish?

monicato · ‎07-18-2012

Not sure if this will answer your question, but I asked this question a few days ago and the answer I got helped me. It regards cleaning indexes.

here's the post:http://splunk-base.splunk.com/answers/53064/messed-up-input-data-ruiningslowing-down-search

parth_jec · ‎07-18-2012

I am trying to delete index compeletely and not just data of index.

unable to delete indexes

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk