I opened up the splunk search app and added this splunk search command :
sourcetype="addedfields" wrap | delete
The event is retrieved but cannot delete.
I saw this error message thrown :
Error in 'delete' command: You have insufficient privileges to delete events.
How do i resolve this?? so that i can delete the search events.
Not sure about versions, we are running 4.3.3, and a better approach in this version is to modify the can_delete role, adding the "admin" role to the can_delete role.
Presuming you are admin :
In Splunk Web browse to :
Manager -> Access controls -> Roles -> admin
Scroll down the the "Capabilities"
section
Add the "delete_by_keyword"
capability.
erm, maybe a reinstall? Why did you remove all the admin roles? if its nix head to /opt/splunk/etc/system/default or the equivalent on windows, I believe you can fix it via authorize.conf
So how do i resolve the problem then?
I think i did. I'm very sure.
Wait, did you remove all permissions from the admin role? That would certainly result in problems when trying to do anything using that admin role afterwards...
I was unable to save the settings. I also cannot restart splunk.
Even an admin is by default not allowed to delete data. You need to make sure you have the "delete_by_keyword" capability, or that you have the "can_delete" role.
I went to remove all the capabilities under the admin roles access controls and added all again.
hen i see this message again.
Encountered the following error while trying to update: Client is not authorized to perform requested action