https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757802#M23788 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266281">@BRFZ</a>&nbsp;</P><P>If youve been periodically running the indexers under a different user then I suppose there is a chance that the permissions on the buckets for that period of time are owned by a user that Splunk running under the other user cannot see.&nbsp;</P><P>I would suggest checking the ownership of all buckets to ensure they are owned by the user that Splunk is running as. Typically this would be in $SPLUNK_HOME/var/lib/splunk/&lt;indexName&gt;</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Fri, 30 Jan 2026 10:58:15 GMT livehybrid 2026-01-30T10:58:15Z https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757799#M23787 <P>Hi everyone,&nbsp;</P><P>I'm facing an issue on my Splunk environment and I'd like your advice.</P><P>After an upgrade, I noticed that I still had to restart/start/stop the Splunk process using sudo (even though before the upgrade it was already running under the correct user : USERX).</P><P>To address this, I stopped the Splunk on Indexers (not at the same time) and reassigned Splunk to run under USERX.</P><P>After this operation, I realized that one full day of logs is missing.</P><P>The issue is that before making this change, I didn't verify whether the logs for that specific day already existed, so I can't say for sure if the gap appeared exactly at that moment.</P><P>If anyone has seen something similar or has any ideas, I'd really appreciate your help.</P><P>Thank you in advance.</P> Fri, 30 Jan 2026 09:43:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757799#M23787 BRFZ 2026-01-30T09:43:05Z https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757802#M23788 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266281">@BRFZ</a>&nbsp;</P><P>If youve been periodically running the indexers under a different user then I suppose there is a chance that the permissions on the buckets for that period of time are owned by a user that Splunk running under the other user cannot see.&nbsp;</P><P>I would suggest checking the ownership of all buckets to ensure they are owned by the user that Splunk is running as. Typically this would be in $SPLUNK_HOME/var/lib/splunk/&lt;indexName&gt;</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Fri, 30 Jan 2026 10:58:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757802#M23788 livehybrid 2026-01-30T10:58:15Z https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757848#M23794 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;</P><P>Thank you for your response. I have verified this point, and the ownership of all buckets is set to&nbsp;the user that Splunk is running as.</P><P>&nbsp;</P> Mon, 02 Feb 2026 08:37:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/Missing-logs/m-p/757848#M23794 BRFZ 2026-02-02T08:37:22Z