Solved: How do I delete from the 'main' index

lstewart_splunk · ‎08-16-2017

I have a standalone instance of Splunk Enterprise.
I uploaded a few XML files to perform some testing and now I want to delete the files from the index.
Logged in as admin, I created a user with the role of "can_delete"
I logged in as that user and ran the search to locate the events. My search is "index=main source=*xml". The events appear in the output on the events tab.
I then append " | delete" to the search and I get an error message saying that the events could not be deleted and
"You do not have the capability to delete from index=main"

I have performed this operation successfully before. Not sure why it isn't working now.
I've gone back and tried adding roles to the user, deleting and recreating the user. Nothing works.
Any suggestions?

gcusello · ‎08-17-2017

Hi lstewart [Splunk],
I had the same problem last year with _internal index, there is a restriction of the delete command.
Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed' (see http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf ).

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

The semantics of the values is same as 'srchIndexesDefault'

Try this

put in $SPLUNK_HOME/system/local/authorize.conf (if it doesn't exist, create it) and restart Splunk

 [role_can_delete]
 deleteIndexesAllowed = *;main

Bye.
Giuseppe

View solution in original post

sonny_monti · ‎07-10-2019

You did the correct think to inherit role can_delete and admin capabilities.
Maybe the changes did not go in memory so try this:

Go in $SPLUNK_HOME/bin
From the terminal/console on the SH: ./splunk reload auth (for windows .\splunk reload auth)
pipe the delete command on your search

This command reloads the authorizations of splunk.
Let me know if that worked, and give me a upvote if you find this

gcusello · ‎08-17-2017

Hi lstewart [Splunk],
I had the same problem last year with _internal index, there is a restriction of the delete command.
Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed' (see http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf ).

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

The semantics of the values is same as 'srchIndexesDefault'

Try this

put in $SPLUNK_HOME/system/local/authorize.conf (if it doesn't exist, create it) and restart Splunk

 [role_can_delete]
 deleteIndexesAllowed = *;main

Bye.
Giuseppe

sam_indeed · ‎12-08-2021

Just replying here in case anyone else stumbles upon this and can't find the same folder, click on the documentation link!

The updated path is

$SPLUNK_HOME/etc/system/local/

rgreer · ‎04-06-2018

This worked for me. Once I added deleteIndexesAllowed to my authorize.conf and restarted Splunk, I was able to remove the data I wanted.

gcusello · ‎07-10-2019

Hi lstewart [Splunk],
If you're satisfied by this answer, please accept and/or upvote it.
Bye.
Giuseppe

masonmorales · ‎08-16-2017

Is the new user inheriting both the admin role as well as the can_delete role? Try restarting Splunk after updating the user's roles. You shouldn't have to restart, but maybe you've encountered a bug that is preventing the role's permissions from updating...

How do I delete from the 'main' index

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!