Getting Data In

delete events from _internal index

gcusello
Legend

Hi at all,
I'd like to delete some events indexed with a wrong date (2030-04-03).
I enabled admin to can_delete role and I tried to do this but Splunk answers "You do not have the capability to delete from index=_internal".
Does anyone know if it's possible to do this?
Bye.
giuseppe

0 Karma
1 Solution

somesoni2
Revered Legend

It seems this is the undocument restriction of the delete command. Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed'. The semantics of the values is same as 'srchIndexesDefault' so it may allow deleting from _internal index but haven't tested.

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

View solution in original post

somesoni2
Revered Legend

It seems this is the undocument restriction of the delete command. Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed'. The semantics of the values is same as 'srchIndexesDefault' so it may allow deleting from _internal index but haven't tested.

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

View solution in original post

gcusello
Legend

Hi somesoni2,
putting in $SPLUNK_HOME/system/local/authorize.conf

[role_can_delete]
deleteIndexesAllowed = *;_internal

I can delete events from _internal index.

Thank you.
Bye.
Giuseppe

lycollicott
Motivator

I don't believe deleting from _internal is allowed for security, audit, compliance and other assorted butt-covering reasons.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I've tried deleting from a summary table and been denied as well.

0 Karma

deepak_acalvio
Explorer

You can use clean eventdata to clean the index completely if needed.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!