Splunk Search

Can an admin delete any lookup, owned by anybody?

ddrillic
Ultra Champion

I'm trying, as an admin, to delete a couple of lookups, but I don't see a way to do it via the interface. Is there a way to do it? I'm not the owner of them ...

It's interesting that for some of them I see the Move | Delete options and for some not.

alt text

@somesoni2 referred to it at How to delete old lookup table (CSV) files in a search head clustering environment?

And we see this set -

alt text

None of them has the Delete action

Tags (2)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Also, you will need to remove the lookups from your search head deployer. Otherwise they will come back next time you do a bundle push.

View solution in original post

chrisyounger
SplunkTrust
SplunkTrust

Also, you will need to remove the lookups from your search head deployer. Otherwise they will come back next time you do a bundle push.

ddrillic
Ultra Champion

That's it - these lookups were pushed from the search head deployer. However, the UI doesn't allow us to know that these specific ones came from the deployer.

0 Karma

ddrillic
Ultra Champion

Apparently, the ones from the deployer are immutable by design, as under the app directory, we only have the lookups directory and unlike other knowledge objects there are not under the local and default directories, which make them behave differently.

0 Karma

ddrillic
Ultra Champion

Our Sales Engineer said -

-- The ones you can’t delete directly are artifacts from prior to the migration to searchhead clustering. You’ll have to delete them through the API.

What would be the syntax?

0 Karma

ddrillic
Ultra Champion

@somesoni2 said in the thread -

     curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookupToDelete.csv

Do I do it on one SH?

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Yes it should replicate to the others

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

If you have the appropriate permissions, there should be an option on the far right of that screenshot called "delete":

alt text

0 Karma

ddrillic
Ultra Champion

Right, I see it for some and for some not...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...