Archive
Highlighted

Why is the index I created owned by file system root?

I created a test index and assigned it to the search app using the Splunk Web GUI. On the filesystem a local folder was created (/opt/splunk/etc/apps/search/local). However that local folder is not owned by the splunk local user I created for all Splunk related functions. It is owned by root. How do I change my Splunk settings so that items created using the GUI are owned by splunk and not by root?

Highlighted

Re: Why is the index I created owned by file system root?

Path Finder

When you first install splunk, everything in /opt/splunk/ is owned by "splunk".

However, if you're running splunk as root, everything created, from there on out, will be owned by "root".

To change this, stop splunk, run "/opt/splunk/bin/splunk enable boot-start -user splunk", then "chown -R splunk:splunk /opt/splunk" and start splunk back up.

(keep in mind that "splunk" probably won't be able to run on port 80/443 without changing OS permissions)

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.