FortiSIEM: Can We Delete a Worker from a Shard?

Forum|Forum|1 year ago
March 17, 2025
2 replies
703 views

We have a scenario where an MSSP is facing a critical storage issue and needs an immediate resolution. They have a two-node replica setup and are considering deleting one worker from a shard to restore system functionality.

The plan is to remove one worker, migrate the remaining worker to new storage, and then recreate the deleted worker.

Would this approach be feasible? Could deleting a worker impact data integrity or overall system functionality? Any guidance on best practices for handling this scenario would be greatly appreciated.
Version: 7.1

Fortisiem

beingarifAuthor

Explorer III

@Secusaurus @Anthony_E @RuiChang @yujames Can you please help here...

Secusaurus

Contributor III

Hi @beingarif,

Your mentioned scenario should be possible.

There is also some documentation in the official guides on how to remove workers or shards in case you run in trouble with recreating the one you like to move, see: https://help.fortinet.com/fsiem/7-2-0/Online-Help/HTML5_Help/appendix-clickhouse-advanced-operations.htm

But:

The components all run as VMs. So, in case your customer is not switching to a different hypervisor: Why don't you just export and import the whole machine?

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded