Getting Data In

How do I delete from the 'main' index

lstewart_splunk
Splunk Employee
Splunk Employee

I have a standalone instance of Splunk Enterprise.
I uploaded a few XML files to perform some testing and now I want to delete the files from the index.
Logged in as admin, I created a user with the role of "can_delete"
I logged in as that user and ran the search to locate the events. My search is "index=main source=*xml". The events appear in the output on the events tab.
I then append " | delete" to the search and I get an error message saying that the events could not be deleted and
"You do not have the capability to delete from index=main"

I have performed this operation successfully before. Not sure why it isn't working now.
I've gone back and tried adding roles to the user, deleting and recreating the user. Nothing works.
Any suggestions?

1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi lstewart [Splunk],
I had the same problem last year with _internal index, there is a restriction of the delete command.
Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed' (see http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf ).

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

The semantics of the values is same as 'srchIndexesDefault'

Try this

put in $SPLUNK_HOME/system/local/authorize.conf (if it doesn't exist, create it) and restart Splunk

 [role_can_delete]
 deleteIndexesAllowed = *;main

Bye.
Giuseppe

View solution in original post

sonny_monti
Path Finder

You did the correct think to inherit role can_delete and admin capabilities.
Maybe the changes did not go in memory so try this:

  1. Go in $SPLUNK_HOME/bin
  2. From the terminal/console on the SH: ./splunk reload auth (for windows .\splunk reload auth)
  3. pipe the delete command on your search

This command reloads the authorizations of splunk.
Let me know if that worked, and give me a upvote if you find this

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lstewart [Splunk],
I had the same problem last year with _internal index, there is a restriction of the delete command.
Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed' (see http://docs.splunk.com/Documentation/Splunk/latest/admin/authorizeconf ).

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

The semantics of the values is same as 'srchIndexesDefault'

Try this

put in $SPLUNK_HOME/system/local/authorize.conf (if it doesn't exist, create it) and restart Splunk

 [role_can_delete]
 deleteIndexesAllowed = *;main

Bye.
Giuseppe

sam_indeed
Engager

Just replying here in case anyone else stumbles upon this and can't find the same folder, click on the documentation link!

The updated path is 

$SPLUNK_HOME/etc/system/local/

 

rgreer
Path Finder

This worked for me. Once I added deleteIndexesAllowed to my authorize.conf and restarted Splunk, I was able to remove the data I wanted.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi lstewart [Splunk],
If you're satisfied by this answer, please accept and/or upvote it.
Bye.
Giuseppe

0 Karma

masonmorales
Influencer

Is the new user inheriting both the admin role as well as the can_delete role? Try restarting Splunk after updating the user's roles. You shouldn't have to restart, but maybe you've encountered a bug that is preventing the role's permissions from updating...

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...