I ran Splunk 7.2 once as root and now I'm no longer to start it again as non-root. I just get heaps of permission denied errors (mostly local.meta, but also savedsearches). Starting and then properly stopping again, as root, still doesn't fix the problem.
1) How is it acceptable that running Splunk once as root crashes your entire Splunk instance?
2) How do I fix this besides going through and chmod-ing EVERYTHING?
Look @nick405060, by starting it as root many files will be owned by root, so stopping and starting won't change it. As an admin person, you need to put the safeguards around it. As you can imagine, it's a very common mistake.
In order to prevent this situation, you need to set
SPLUNK_OS_USER correctly in
@nick405060 If your problem is resolved, please accept the answer to help future readers.
When you do that on Linux you then need to chown -R splunk:splunk $SPLUNK_HOME
In other words, you give ownership of all the splunk files in all the subdirectories of Splunk back to the 'splunk' user (the user that should be running Splunk). Suggest you will have a similar fix in Windows.
Google suggested "takeown /f <some-file-or-folder> /r" as an equivalent.
takeown .... to give the correct user ownership
as the user that should be running splunk: start splunk