Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

thadjames — Fri, 03 Apr 2015 19:22:50 GMT

I'm a total splunk newbie, and I inherited a splunk server running on Red Hat Enterprise Linux 5. The other day, I did a reboot of the system. Since then, I can only view the current day's data when I run a search.

The version of splunk is 5.0.9. Build 213964 Platform linux x86_64. The splunkd service is running as root, but when I look in /opt/splunk/var/lib/splunk, I see that all the files except for the ones ending in .dat are owned by splunk:splunk. The .dat files are owned by root:root. Should they all be owned by root?

Re: Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

masonmorales — Fri, 03 Apr 2015 20:28:47 GMT

You can, but for security purposes, it's not recommended. Best practice is to have a dedicated splunk user account that owns all of the splunk files. See: http://wiki.splunk.com/Deploy:EnsuringSplunkRunsAsNonRootUser

topic Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root? in Splunk Search

Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

Re: Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?