I wonder if the free version simply ignores any local configuration of the admin role, or if it's is possible to change the admin role via the configuration files anyway. It sounds like Splunk Free simply uses the rights used by the default admin role.
Can you try modifying the admin role using a local authorize.conf
? see http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf
I wonder if the free version simply ignores any local configuration of the admin role, or if it's is possible to change the admin role via the configuration files anyway. It sounds like Splunk Free simply uses the rights used by the default admin role.
Can you try modifying the admin role using a local authorize.conf
? see http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf
Brilliant laserval! That did it. Thank you!
I went to
splunk / etc / system / local
opened the authorize config file
and added
capability::delete_by_keyword
to the user there.
Ran the search and piped into delete and the records are not showing up in searches!
Can you post your answer under my original problem so I can mark it as answered?
Thank you.
just converted it, marked as answered, and upvoted 🙂 cheers!
Patrick
There is no authentication or user and role management when using Splunk Free. You can't modify the admin role, with splunk free.
Hello!
Here is what you want to know!
The delete operator can only be accessed by a user with the delete_by_keyword capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete
So you have to create a user and grant him a delete capability. Use that user to delete your events, and let me know if you can still see your events afeter they have been deleted.
Thanks!
Stephane
I am running the free version and do not have access to make any user changes.
Ha ok. The manual is clear:
Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported with splunk free.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/MoreaboutSplunkFree
As i said bellow, The delete operator can only be accessed by a user with the delete_by_keyword capability. The admin role does not have this capability by default. With splunk free, There is only one role (admin), and it is not configurable.
Thanks
Then maybe they should change their documentation to say: Users not allowed to delete using Splunk free.
In previous versions, I had to make sure my user account had delete privileges. In the free version, there is no user control.
Here is what I'm trying to do:
Piping a search to the delete operator marks all the events returned by that search so that later searches do not return them.
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Delete
use splunk clean
command to do it .
to have help run splunk clean help
command in CLI
ex:
go to splunk_home/bin directory to run :
./splunk clean eventdata -index=your_index on linux
or
splunk clean eventdata -index=your_index
on windows.
Doesn't that delete all data in an index? I want to keep my data, just want to delete specific events.