Dashboards & Visualizations

Files owned by root under splunk

nbcohen
Explorer

I've created a couple of dashboards and some reports, and I've started looking at packaging up my files to move them to a production environment. In looking at the files under $SPLUNK_HOME, I see that most of them are owned by user splunk, but some are owned by root. In particular, in my app named Foo, I have the following files in directory $SPLUNK_HOME/etc/apps/Foo/local:

pwd

/xxx/splunk/etc/apps/Foo/local

ls -l

total 28
-rw------- 1 splunk splunk 167 Apr 29 2010 app.conf
drwx------ 3 splunk splunk 4096 Apr 7 2010 data
-rw------- 1 root root 6924 Dec 10 13:51 savedsearches.conf
-rw------- 1 root root 11660 Dec 10 13:47 viewstates.conf

The file savedsearches.conf contains the definitions of my reports and viewstates.conf contains the various charts I've created for my dashboard. But should those files be owned by root or by splunk? I have done all the work of building the dashboard while logged in as myself (nbc), and I have not manually touched any of those files in the system (although someone else may have).

Do I need to change the ownership of these (and any other?) files so that they are all owned by splunk? Or is the file ownership not an issue? Note that splunk itself seems to be running fine on this system - all my reports and dashboards seem to display correctly. I plan to pick up the entire Foo app and move it to my production system at some point and I'm just wondering if the file ownership will cause problems when I try to do the packaging and move to another machine.

Thanks,

nbc

Tags (1)
0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

All files in a Splunk distribution should be owned by user and group of whoever is starting Splunk.

Stop Splunk

chmod -R user:group $SPLUNK_HOME

Restart Splunk as that user.

View solution in original post

0 Karma

bwooden
Splunk Employee
Splunk Employee

All files in a Splunk distribution should be owned by user and group of whoever is starting Splunk.

Stop Splunk

chmod -R user:group $SPLUNK_HOME

Restart Splunk as that user.

View solution in original post

0 Karma

nbcohen
Explorer

Thanks - I'll arrange to do that...

nbc

0 Karma

t0c
Engager

Should be chown -R user:group $SPLUNK_HOME

Not chmod.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!