I created a test index and assigned it to the search app using the Splunk Web GUI. On the filesystem a local folder was created (/opt/splunk/etc/apps/search/local). However that local folder is not owned by the splunk local user I created for all Splunk related functions. It is owned by root. How do I change my Splunk settings so that items created using the GUI are owned by splunk and not by root?
When you first install splunk, everything in /opt/splunk/ is owned by "splunk".
However, if you're running splunk as root, everything created, from there on out, will be owned by "root".
To change this, stop splunk, run "/opt/splunk/bin/splunk enable boot-start -user splunk", then "chown -R splunk:splunk /opt/splunk" and start splunk back up.
(keep in mind that "splunk" probably won't be able to run on port 80/443 without changing OS permissions)