Splunk Search
Highlighted

Unable to delete search events

Communicator

I opened up the splunk search app and added this splunk search command :

sourcetype="addedfields" wrap | delete

The event is retrieved but cannot delete.

I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.

How do i resolve this?? so that i can delete the search events.

Highlighted

Re: Unable to delete search events

Ultra Champion

Presuming you are admin :

In Splunk Web browse to :

Manager -> Access controls -> Roles -> admin 

Scroll down the the "Capabilities" section

Add the "delete_by_keyword" capability.

Highlighted

Re: Unable to delete search events

Communicator

I went to remove all the capabilities under the admin roles access controls and added all again.

hen i see this message again.

Encountered the following error while trying to update: Client is not authorized to perform requested action

0 Karma
Highlighted

Re: Unable to delete search events

Legend

Even an admin is by default not allowed to delete data. You need to make sure you have the "deletebykeyword" capability, or that you have the "can_delete" role.

0 Karma
Highlighted

Re: Unable to delete search events

Communicator

I was unable to save the settings. I also cannot restart splunk.

0 Karma
Highlighted

Re: Unable to delete search events

Legend

Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...

0 Karma
Highlighted

Re: Unable to delete search events

Communicator

I think i did. I'm very sure.

0 Karma
Highlighted

Re: Unable to delete search events

Communicator

So how do i resolve the problem then?

0 Karma
Highlighted

Re: Unable to delete search events

Champion

erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf

0 Karma
Highlighted

Re: Unable to delete search events

Builder

Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the candelete role, adding the "admin" role to the candelete role.

0 Karma