Solved: Why am I unable to delete calculated fields from S...

akawacz · ‎10-05-2015

Hi

I am having an issue with deleting/editing calculated fields in Splunk Web. Any idea, how I can remove these two?

The name is like this:

csv : EVALTYPE : EVAL A
csv : EVALTYPE : EVAL B

They are for different field names and have the same eval expression.

I think Splunk does not like the use of : two times because I have created a third calculated filed with only one : and was able to remove it easily.

Error I am getting:
Deleting:

Error occurred attempting to remove csv : EVALTYPE : EVALTYPE: In handler 'props-eval': Object 'csv : EVALTYPE : EVALTYPE' does not exist in user=aaa, app=bbb: props.conf [csv] EVALTYPE : EVALTYPE.

Changing permission:

Splunk could not update permissions for resource data/props/calcfields [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'No eligible entity'}]

Editing:

Encountered the following error while trying to update: In handler 'props-eval': Object 'csv : EVALTYPE : EVALTYPE' does not exist in user=aaa, app=bbb: props.conf [rnw-csv] EVALTYPE : EVALTYPE

thank you

woodcock · ‎10-06-2015

Open a support case to report the bug and manually edit the props.conf file with CLI.

View solution in original post

woodcock · ‎10-06-2015

Open a support case to report the bug and manually edit the props.conf file with CLI.

layamba · ‎04-03-2019

Did anyone ever open a support case to report this? I just had same issue with 7.0.0.

Why am I unable to delete calculated fields from Splunk Web?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases