Splunk Search

Can an admin delete any lookup, owned by anybody?

Ultra Champion

I'm trying, as an admin, to delete a couple of lookups, but I don't see a way to do it via the interface. Is there a way to do it? I'm not the owner of them ...

It's interesting that for some of them I see the Move | Delete options and for some not.

alt text

@somesoni2 referred to it at How to delete old lookup table (CSV) files in a search head clustering environment?

And we see this set -

alt text

None of them has the Delete action

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Also, you will need to remove the lookups from your search head deployer. Otherwise they will come back next time you do a bundle push.

View solution in original post

SplunkTrust
SplunkTrust

Also, you will need to remove the lookups from your search head deployer. Otherwise they will come back next time you do a bundle push.

View solution in original post

Ultra Champion

That's it - these lookups were pushed from the search head deployer. However, the UI doesn't allow us to know that these specific ones came from the deployer.

0 Karma

Ultra Champion

Apparently, the ones from the deployer are immutable by design, as under the app directory, we only have the lookups directory and unlike other knowledge objects there are not under the local and default directories, which make them behave differently.

0 Karma

Ultra Champion

Our Sales Engineer said -

-- The ones you can’t delete directly are artifacts from prior to the migration to searchhead clustering. You’ll have to delete them through the API.

What would be the syntax?

0 Karma

Ultra Champion

@somesoni2 said in the thread -

     curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookupToDelete.csv

Do I do it on one SH?

0 Karma

SplunkTrust
SplunkTrust

Yes it should replicate to the others

0 Karma

SplunkTrust
SplunkTrust

If you have the appropriate permissions, there should be an option on the far right of that screenshot called "delete":

alt text

0 Karma

Ultra Champion

Right, I see it for some and for some not...

0 Karma