Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to delete search events

misteryuku
Communicator
‎03-22-2012 09:22 PM

I opened up the splunk search app and added this splunk search command :

sourcetype="addedfields" wrap | delete

The event is retrieved but cannot delete.

I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.

How do i resolve this?? so that i can delete the search events.

Reply

brettcave
Builder
‎08-06-2012 09:38 AM

Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the can_delete role, adding the "admin" role to the can_delete role.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎03-22-2012 09:47 PM

Presuming you are admin :

In Splunk Web browse to :

Manager -> Access controls -> Roles -> admin

Scroll down the the "Capabilities" section

Add the "delete_by_keyword" capability.

Reply

Drainy
Champion
‎03-23-2012 02:38 AM

erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 11:58 PM

So how do i resolve the problem then?

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 11:52 PM

I think i did. I'm very sure.

0 Karma
Reply

Ayn
Legend
‎03-22-2012 11:50 PM

Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 11:46 PM

I was unable to save the settings. I also cannot restart splunk.

0 Karma
Reply

Ayn
Legend
‎03-22-2012 10:48 PM

Even an admin is by default not allowed to delete data. You need to make sure you have the "delete_by_keyword" capability, or that you have the "can_delete" role.

0 Karma
Reply

misteryuku
Communicator
‎03-22-2012 10:06 PM

I went to remove all the capabilities under the admin roles access controls and added all again.

hen i see this message again.

Encountered the following error while trying to update: Client is not authorized to perform requested action

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top