Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to delete search events

misteryuku
Communicator
‎03-22-2012 09:22 PM

I opened up the splunk search app and added this splunk search command :

sourcetype="addedfields" wrap | delete

The event is retrieved but cannot delete.

I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.

How do i resolve this?? so that i can delete the search events.

Reply

brettcave
Builder
‎08-06-2012 09:38 AM

Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the can_delete role, adding the "admin" role to the can_delete role.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎03-22-2012 09:47 PM

Presuming you are admin :

In Splunk Web browse to :

Manager -> Access controls -> Roles -> admin

Scroll down the the "Capabilities" section

Add the "delete_by_keyword" capability.

Reply

Drainy
Champion
‎03-23-2012 02:38 AM

erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 11:58 PM

So how do i resolve the problem then?

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 11:52 PM

I think i did. I'm very sure.

0 Karma
Reply

Ayn
Legend
‎03-22-2012 11:50 PM

Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 11:46 PM

I was unable to save the settings. I also cannot restart splunk.

0 Karma
Reply

Ayn
Legend
‎03-22-2012 10:48 PM

Even an admin is by default not allowed to delete data. You need to make sure you have the "delete_by_keyword" capability, or that you have the "can_delete" role.

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 10:06 PM

I went to remove all the capabilities under the admin roles access controls and added all again.

hen i see this message again.

Encountered the following error while trying to update: Client is not authorized to perform requested action

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...