Solved: Re: Unable to delete sourcetype

jangid · ‎05-24-2012

I had setup a forwarder to monitor the directory and didn't specify any source type. Splunk automatically create some sourcetype in search app. I don't want these source type and now I want to delete all of them but I am getting some error while deleting.

I am trying to execute below command.

sourcetype=log-too_small | delete

I am getting below error
Error in 'delete' command: You have insufficient privileges to delete events.

While I am logged in as a 'Admin'

any clue what is wrong???

Thanks
Manoj Jangid

jangid · ‎05-24-2012

oops by default admin doesn't have can_delete permission after setting this permission to admin I am able to delete.

View solution in original post

erritesh17 · ‎11-11-2021

In Splunk 8.2 and above go to Settings -> Users

Under actions TAB click on edit and assign a role : can_delete

please check below SS.

Screenshot 2021-11-12 at 10.32.08 AM.png

jangid · ‎05-24-2012

oops by default admin doesn't have can_delete permission after setting this permission to admin I am able to delete.

ak · ‎07-09-2012

Manager -> Access Controls -> Roles -> Select Specific Role that the user belongs to

Scroll down to the "Inheritance" section. Add the "can_delete" role to the Selected Roles on the right.

manishsw · ‎10-10-2016

settings>access controls..

monicato · ‎07-09-2012

where can you change permissions for this function? Did you do this through the GUI?

Unable to delete sourcetype

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Unable to delete sourcetype

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases