Getting Data In

When I pipe search results into the delete command in the free version Splunk 6.2.2, why are the records still searchable?

cpt12tech
Contributor

I'm running the free version of Splunk 6.2.2. When I attempt to delete records by sending them to Delete, I get a message that says the items were deleted, and yet when I search for the records, I still see them?

Tags (3)
1 Solution

laserval
Communicator

I wonder if the free version simply ignores any local configuration of the admin role, or if it's is possible to change the admin role via the configuration files anyway. It sounds like Splunk Free simply uses the rights used by the default admin role.
Can you try modifying the admin role using a local authorize.conf? see http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post

laserval
Communicator

I wonder if the free version simply ignores any local configuration of the admin role, or if it's is possible to change the admin role via the configuration files anyway. It sounds like Splunk Free simply uses the rights used by the default admin role.
Can you try modifying the admin role using a local authorize.conf? see http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post

cpt12tech
Contributor

Brilliant laserval! That did it. Thank you!

I went to
splunk / etc / system / local
opened the authorize config file
and added
capability::delete_by_keyword
to the user there.

Ran the search and piped into delete and the records are not showing up in searches!

Can you post your answer under my original problem so I can mark it as answered?

Thank you.

ppablo
Community Manager
Community Manager

just converted it, marked as answered, and upvoted 🙂 cheers!

Patrick

0 Karma

stephanefotso
Motivator

There is no authentication or user and role management when using Splunk Free. You can't modify the admin role, with splunk free.

0 Karma

stephanefotso
Motivator

Hello!
Here is what you want to know!

The delete operator can only be accessed by a user with the delete_by_keyword capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete

So you have to create a user and grant him a delete capability. Use that user to delete your events, and let me know if you can still see your events afeter they have been deleted.

Thanks!
Stephane

0 Karma

cpt12tech
Contributor

I am running the free version and do not have access to make any user changes.

0 Karma

stephanefotso
Motivator

Ha ok. The manual is clear:

Restrictions on search, such as user quotas, maximum per-search time ranges, and search filters, are not supported with splunk free.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/MoreaboutSplunkFree
As i said bellow, The delete operator can only be accessed by a user with the delete_by_keyword capability. The admin role does not have this capability by default. With splunk free, There is only one role (admin), and it is not configurable.

Thanks

0 Karma

cpt12tech
Contributor

Then maybe they should change their documentation to say: Users not allowed to delete using Splunk free.

0 Karma

cpt12tech
Contributor

In previous versions, I had to make sure my user account had delete privileges. In the free version, there is no user control.

0 Karma

cpt12tech
Contributor

Here is what I'm trying to do:
Piping a search to the delete operator marks all the events returned by that search so that later searches do not return them.
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Delete

0 Karma

fdi01
Motivator

use splunk clean command to do it .
to have help run splunk clean help command in CLI
ex:
go to splunk_home/bin directory to run :

./splunk clean eventdata -index=your_index  on linux

or
splunk clean eventdata -index=your_index on windows.

0 Karma

cpt12tech
Contributor

Doesn't that delete all data in an index? I want to keep my data, just want to delete specific events.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!