Unable to delete data from Splunk Cloud trial

nickblack · ‎05-14-2015

Hi,
I managed to import the tutorial data twice into my Splunk Cloud sandbox trial (once into the wrong place).
So consequently wanted to delete the incorrect host.
I tried to run 'host=splunk_cloud_trial | delete' in search but came back with:
'Error in 'delete' command: You have insufficient privileges to delete events.'

I stumbled across adding 'delete_by_keyword' capability to sc_admin role, but it won't let me with the error:
'Encountered the following error while trying to update: Client is not authorized to perform requested action'.

Any ideas?
Cheerss

yannK · ‎09-11-2015

ultimately, cloud trials are automatically delete after 15 days, your data will go away with it.

satishsdange · ‎05-14-2015

Clearly you don't have sufficient rights to clean eventdata. You should contact support team. I doubt whether you will get any response considering this is sandbox POC setup.
Quick solution is to create another index & ingest that data once again. Or install Splunk on your laptop/desktop & complete your exercise.

jimmpoul · ‎05-15-2015

We are using Splunk Cloud and had to ask support to be allowed to delete data. Normally you should be able to give the permission to yourself as admin, but there are some limitations to what you can change regarding security in Splunk Cloud.

Unable to delete data from Splunk Cloud trial

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio