Hi

are you 100% sure that both DS and UF runs splunkd as a user and group splunk? Also check that all those /opt/splunk/ files on DS are owned by splunk:splunk and on UF side /opt/splunkforwarder all files and subdirectories are owned by splunk:splunk.

r. Ismo

Hi, 

yes, I've checked that, also both machines are running on Linux.

it's probably from the agent side since we pushed the app to ~ 500 UFs but only 5 or 6 failed.

It's almost 100% sure that you are running splunkd as root on those instances as when those are written to disk by splunkd (as DC) it is using it's own uid + gid which in this case was both 0 like root has.

Only other option which came to my mind, is that there are some external process which changed ownership for those files. Then, depending on those access mode, splunkd usually cannot read those, as it haven't access right to root's owned files, unless those are world readable (they shouldn't).

Thanks for the elaboration.
What's the correct way to check which user is running Splunkd? as am using ps aux | grep splunk to check it

That should be ok. Another is 

ps -C splunkd -o euser,ruser,suser,fuser,group,egroup,rgroup,sgroup,f,start,args,label

 Which told little bit more about user and group etc. for splunkd process.

If/when splunkd is running as e.g. user splunk, all those different user+group shows as splunk. If anything else then ....