Getting Data In

delete events from _internal index

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'd like to delete some events indexed with a wrong date (2030-04-03).
I enabled admin to can_delete role and I tried to do this but Splunk answers "You do not have the capability to delete from index=_internal".
Does anyone know if it's possible to do this?
Bye.
giuseppe

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

It seems this is the undocument restriction of the delete command. Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed'. The semantics of the values is same as 'srchIndexesDefault' so it may allow deleting from _internal index but haven't tested.

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

It seems this is the undocument restriction of the delete command. Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed'. The semantics of the values is same as 'srchIndexesDefault' so it may allow deleting from _internal index but haven't tested.

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

gcusello
SplunkTrust
SplunkTrust

Hi somesoni2,
putting in $SPLUNK_HOME/system/local/authorize.conf

[role_can_delete]
deleteIndexesAllowed = *;_internal

I can delete events from _internal index.

Thank you.
Bye.
Giuseppe

lycollicott
Motivator

I don't believe deleting from _internal is allowed for security, audit, compliance and other assorted butt-covering reasons.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I've tried deleting from a summary table and been denied as well.

0 Karma

deepak_acalvio
Explorer

You can use clean eventdata to clean the index completely if needed.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...