Getting Data In

delete events from _internal index

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'd like to delete some events indexed with a wrong date (2030-04-03).
I enabled admin to can_delete role and I tried to do this but Splunk answers "You do not have the capability to delete from index=_internal".
Does anyone know if it's possible to do this?
Bye.
giuseppe

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

It seems this is the undocument restriction of the delete command. Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed'. The semantics of the values is same as 'srchIndexesDefault' so it may allow deleting from _internal index but haven't tested.

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

It seems this is the undocument restriction of the delete command. Howevers, starting 6.5.x, there is a new attribute in town for roles called 'deleteIndexesAllowed'. The semantics of the values is same as 'srchIndexesDefault' so it may allow deleting from _internal index but haven't tested.

deleteIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to delete
* This setting must be used in conjunction with the delete_by_keyword
  capability
* Follows the same wildcarding semantics as srchIndexesDefault
* Defaults to none

gcusello
SplunkTrust
SplunkTrust

Hi somesoni2,
putting in $SPLUNK_HOME/system/local/authorize.conf

[role_can_delete]
deleteIndexesAllowed = *;_internal

I can delete events from _internal index.

Thank you.
Bye.
Giuseppe

lycollicott
Motivator

I don't believe deleting from _internal is allowed for security, audit, compliance and other assorted butt-covering reasons.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I've tried deleting from a summary table and been denied as well.

0 Karma

deepak_acalvio
Explorer

You can use clean eventdata to clean the index completely if needed.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...