Splunk Search

Unable to delete search events

Communicator

I opened up the splunk search app and added this splunk search command :

sourcetype="addedfields" wrap | delete

The event is retrieved but cannot delete.

I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.

How do i resolve this?? so that i can delete the search events.

Builder

Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the candelete role, adding the "admin" role to the candelete role.

0 Karma

Ultra Champion

Presuming you are admin :

In Splunk Web browse to :

Manager -> Access controls -> Roles -> admin 

Scroll down the the "Capabilities" section

Add the "delete_by_keyword" capability.

Champion

erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf

0 Karma

Communicator

So how do i resolve the problem then?

0 Karma

Communicator

I think i did. I'm very sure.

0 Karma

Legend

Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...

0 Karma

Communicator

I was unable to save the settings. I also cannot restart splunk.

0 Karma

Legend

Even an admin is by default not allowed to delete data. You need to make sure you have the "deletebykeyword" capability, or that you have the "can_delete" role.

0 Karma

Communicator

I went to remove all the capabilities under the admin roles access controls and added all again.

hen i see this message again.

Encountered the following error while trying to update: Client is not authorized to perform requested action

0 Karma