Trying to delete data from an index for a specific day, and keep getting an error.
index=os sourcetype=ps provides 600k results for a single day.
index=os sourcetype=ps | delete results in "job terminated unexpectedly" "search terminated because of an error"
Yes the account has the delete functionality.
Thanks in advance for any thoughts.
I found my particular problem. Some of the files in my index directory were owned by root, and it was preventing my deletes from taking affect. As soon as I reset ownership to splunk:splunk, it started working again.
I found my particular problem. Some of the files in my index directory were owned by root, and it was preventing my deletes from taking affect. As soon as I reset ownership to splunk:splunk, it started working again.
Have you tried deleting data for only a couple hours or some other shorter period of time? It is possible you are hitting resource constraints that are messing with the completion of the job.
I did, and it was still failing.