Getting Data In
Highlighted

When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Contributor

I'm running the free version of Splunk 6.2.2. When I attempt to delete records by sending them to Delete, I get a message that says the items were deleted, and yet when I search for the records, I still see them?

Tags (3)
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Motivator

use splunk clean command to do it .
to have help run splunk clean help command in CLI
ex:
go to splunk_home/bin directory to run :

./splunk clean eventdata -index=your_index  on linux

or
splunk clean eventdata -index=your_index on windows.

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Contributor

Doesn't that delete all data in an index? I want to keep my data, just want to delete specific events.

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Contributor

Here is what I'm trying to do:
Piping a search to the delete operator marks all the events returned by that search so that later searches do not return them.
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Delete

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Contributor

In previous versions, I had to make sure my user account had delete privileges. In the free version, there is no user control.

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Motivator

Hello!
Here is what you want to know!

The delete operator can only be accessed by a user with the deletebykeyword capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

So you have to create a user and grant him a delete capability. Use that user to delete your events, and let me know if you can still see your events afeter they have been deleted.

Thanks!
Stephane

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Contributor

I am running the free version and do not have access to make any user changes.

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Motivator

Ha ok. The manual is clear:

Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported with splunk free.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/MoreaboutSplunkFree
As i said bellow, The delete operator can only be accessed by a user with the deletebykeyword capability. The admin role does not have this capability by default. With splunk free, There is only one role (admin), and it is not configurable.

Thanks

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Contributor

Then maybe they should change their documentation to say: Users not allowed to delete using Splunk free.

0 Karma
Highlighted

Re: When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

Communicator

I wonder if the free version simply ignores any local configuration of the admin role, or if it's is possible to change the admin role via the configuration files anyway. It sounds like Splunk Free simply uses the rights used by the default admin role.
Can you try modifying the admin role using a local authorize.conf? see http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post