Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Unable to delete search events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to delete search events
I opened up the splunk search app and added this splunk search command :
sourcetype="addedfields" wrap | delete
The event is retrieved but cannot delete.
I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.
How do i resolve this?? so that i can delete the search events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the can_delete role, adding the "admin" role to the can_delete role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Presuming you are admin :
In Splunk Web browse to :
Manager -> Access controls -> Roles -> admin
Scroll down the the "Capabilities" section
Add the "delete_by_keyword" capability.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how do i resolve the problem then?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think i did. I'm very sure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was unable to save the settings. I also cannot restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even an admin is by default not allowed to delete data. You need to make sure you have the "delete_by_keyword" capability, or that you have the "can_delete" role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I went to remove all the capabilities under the admin roles access controls and added all again.
hen i see this message again.
Encountered the following error while trying to update: Client is not authorized to perform requested action
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
