Solved: Re: Unable to delete sourcetype

jangid · ‎05-24-2012

I had setup a forwarder to monitor the directory and didn't specify any source type. Splunk automatically create some sourcetype in search app. I don't want these source type and now I want to delete all of them but I am getting some error while deleting.

I am trying to execute below command.

sourcetype=log-too_small | delete

I am getting below error
Error in 'delete' command: You have insufficient privileges to delete events.

While I am logged in as a 'Admin'

any clue what is wrong???

Thanks
Manoj Jangid

jangid · ‎05-24-2012

oops by default admin doesn't have can_delete permission after setting this permission to admin I am able to delete.

View solution in original post

erritesh17 · ‎11-11-2021

In Splunk 8.2 and above go to Settings -> Users

Under actions TAB click on edit and assign a role : can_delete

please check below SS.

Screenshot 2021-11-12 at 10.32.08 AM.png

jangid · ‎05-24-2012

oops by default admin doesn't have can_delete permission after setting this permission to admin I am able to delete.

ak · ‎07-09-2012

Manager -> Access Controls -> Roles -> Select Specific Role that the user belongs to

Scroll down to the "Inheritance" section. Add the "can_delete" role to the Selected Roles on the right.

manishsw · ‎10-10-2016

settings>access controls..

monicato · ‎07-09-2012

where can you change permissions for this function? Did you do this through the GUI?

Unable to delete sourcetype

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio