Recently we upgraded to 6.1.1 and I've noticed that users with admin access no longer can delete searches. What permission is needed for this?
It shouldn't be relevant, but we are using search head pooling over NFS.
Thanks
In Splunk go to Settings -> Users
Under actions TAB click on edit and assign a role : can_delete
please check below SS.
Hi adylent,
Just had this problem last week, add the can delete
capability to the admin and you're done.
Cheers, MuS
To anyone trying to add permissions to a user, you'll have to go to Settings -> Access Controls
and select a user. can_delete
is here.
okay, this question can be read both ways. The search command delete
is no longer granted by default (this is the delete_by_keyword
capability btw) and must be assigned, also delete
does not actually delete raw data; it masks the data from showing up in search results.
To delete searches as local admin, using the Job monitor for example, one does not need any special capability.
Maybe the problem it the search head pooling over NFS, try the OS way from the docs to delete those searches http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/ManagejobsfromtheOS
Isn't that capability designed to give the ability to delete data from Splunk using the "delete" command? Per Splunk best practices, this capability should not normally be granted to any users, but instead should only temporarily be granted when specific data needs to be deleted.