I opened up the splunk search app and added this splunk search command :
sourcetype="addedfields" wrap | delete
The event is retrieved but cannot delete.
I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.
How do i resolve this?? so that i can delete the search events.
Presuming you are admin :
In Splunk Web browse to :
Manager -> Access controls -> Roles -> admin
Scroll down the the
I went to remove all the capabilities under the admin roles access controls and added all again.
hen i see this message again.
Encountered the following error while trying to update: Client is not authorized to perform requested action
Even an admin is by default not allowed to delete data. You need to make sure you have the "deletebykeyword" capability, or that you have the "can_delete" role.
Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...
erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf
Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the candelete role, adding the "admin" role to the candelete role.