Getting Data In

How do I delete from the 'main' index

lstewart_splunk
Splunk Employee
Splunk Employee

I have a standalone instance of Splunk Enterprise.
I uploaded a few XML files to perform some testing and now I want to delete the files from the index.
Logged in as admin, I created a user with the role of "can_delete"
I logged in as that user and ran the search to locate the events. My search is "index=main source=*xml". The events appear in the output on the events tab.
I then append " | delete" to the search and I get an error message saying that the events could not be deleted and
"You do not have the capability to delete from index=main"

I have performed this operation successfully before. Not sure why it isn't working now.
I've gone back and tried adding roles to the user, deleting and recreating the user. Nothing works.
Any suggestions?

1 Solution

gcusello
Legend

Hi lstewart [Splunk],
I had the same problem last year with _internal index, there is a restriction of the delete command.
Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed' (see http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf ).

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

The semantics of the values is same as 'srchIndexesDefault'

Try this

put in $SPLUNK_HOME/system/local/authorize.conf (if it doesn't exist, create it) and restart Splunk

 [role_can_delete]
 deleteIndexesAllowed = *;main

Bye.
Giuseppe

View solution in original post

sonny_monti
Path Finder

You did the correct think to inherit role can_delete and admin capabilities.
Maybe the changes did not go in memory so try this:

  1. Go in $SPLUNK_HOME/bin
  2. From the terminal/console on the SH: ./splunk reload auth (for windows .\splunk reload auth)
  3. pipe the delete command on your search

This command reloads the authorizations of splunk.
Let me know if that worked, and give me a upvote if you find this

0 Karma

gcusello
Legend

Hi lstewart [Splunk],
I had the same problem last year with _internal index, there is a restriction of the delete command.
Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed' (see http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf ).

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

The semantics of the values is same as 'srchIndexesDefault'

Try this

put in $SPLUNK_HOME/system/local/authorize.conf (if it doesn't exist, create it) and restart Splunk

 [role_can_delete]
 deleteIndexesAllowed = *;main

Bye.
Giuseppe

View solution in original post

rgreer
Path Finder

This worked for me. Once I added deleteIndexesAllowed to my authorize.conf and restarted Splunk, I was able to remove the data I wanted.

0 Karma

gcusello
Legend

Hi lstewart [Splunk],
If you're satisfied by this answer, please accept and/or upvote it.
Bye.
Giuseppe

0 Karma

masonmorales
Influencer

Is the new user inheriting both the admin role as well as the can_delete role? Try restarting Splunk after updating the user's roles. You shouldn't have to restart, but maybe you've encountered a bug that is preventing the role's permissions from updating...

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!