I ran Splunk 7.2 once as root and now I'm no longer to start it again as non-root. I just get heaps of permission denied errors (mostly local.meta, but also savedsearches). Starting and then properly stopping again, as root, still doesn't fix the problem.
1) How is it acceptable that running Splunk once as root crashes your entire Splunk instance?
2) How do I fix this besides going through and chmod-ing EVERYTHING?
When you do that on Linux you then need to chown -R splunk:splunk $SPLUNK_HOME
In other words, you give ownership of all the splunk files in all the subdirectories of Splunk back to the 'splunk' user (the user that should be running Splunk). Suggest you will have a similar fix in Windows.
Google suggested "takeown /f <some-file-or-folder> /r" as an equivalent.
splunk stop
takeown .... to give the correct user ownership
as the user that should be running splunk: start splunk
...Laurie:{)
Look @nick405060, by starting it as root many files will be owned by root, so stopping and starting won't change it. As an admin person, you need to put the safeguards around it. As you can imagine, it's a very common mistake.
In order to prevent this situation, you need to set SPLUNK_OS_USER
correctly in splunk-launch.conf
.
@nick405060 If your problem is resolved, please accept the answer to help future readers.