Hello
I have to be doing something incorrectly. I have an indexes app that stores our index configs. Small environment, 2 indexers 1 Search Head(SH) 1Universal Forwarder(UF). I added some data via the UI on the SH to an index named `dev_tsv`. Now I'm adding data to that index via a UF but am deleting the index to clear out the previous data.
Deleted the config from `indexes.conf` and restarted the indexers. Also removed any index config for this index from the SH, just to make sure. On the UF I removed the files from the monitored path. I restarted all hosts after that.
I added the index config back to 1 indexer and restart and all the data that was previously in the index is in search again. The logs in Splunk say they come from the SH and the UF via the host field but there should be no files there for them to monitor and I can confirm that via filepaths.
How can I remove this data? How is this data still there? Where is this data coming from?
↧