Solved: Unable to delete sourcetype

jangid · ‎05-24-2012

I had setup a forwarder to monitor the directory and didn't specify any source type. Splunk automatically create some sourcetype in search app. I don't want these source type and now I want to delete all of them but I am getting some error while deleting.

I am trying to execute below command.

sourcetype=log-too_small | delete

I am getting below error
Error in 'delete' command: You have insufficient privileges to delete events.

While I am logged in as a 'Admin'

any clue what is wrong???

Thanks
Manoj Jangid

jangid · ‎05-24-2012

oops by default admin doesn't have can_delete permission after setting this permission to admin I am able to delete.

View solution in original post

erritesh17 · ‎11-11-2021

In Splunk 8.2 and above go to Settings -> Users

Under actions TAB click on edit and assign a role : can_delete

please check below SS.

Screenshot 2021-11-12 at 10.32.08 AM.png

jangid · ‎05-24-2012

oops by default admin doesn't have can_delete permission after setting this permission to admin I am able to delete.

ak · ‎07-09-2012

Manager -> Access Controls -> Roles -> Select Specific Role that the user belongs to

Scroll down to the "Inheritance" section. Add the "can_delete" role to the Selected Roles on the right.

manishsw · ‎10-10-2016

settings>access controls..

monicato · ‎07-09-2012

where can you change permissions for this function? Did you do this through the GUI?

Unable to delete sourcetype

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...