Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Attempting to revert the SPLUNK_HOME ownership?

Skeer-Jamf
Path Finder
‎07-17-2023 09:53 AM

This happens regardless of it I am installing fresh or upgrading to version 9.1.0.1an existing install. Every action that involves the splunk binary prepends all output with:

Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunkfwd /opt/splunkforwarder"

 

I've tried manually running that, as Root! And it still persists even though now the contents under /opt/splunkforwarder are owned by splunkfwd recursively!

Labels (2)
Labels
Reply

yoho
Contributor
‎08-11-2025 02:54 AM

Still a known issue in Splunk 10.0 : SPL-226019

0 Karma
Reply

Skeer-Jamf
Path Finder
‎07-17-2023 12:13 PM

Thank you Sanjay,  so yet another known issue huh? Upgrading/installing version 9 has a few it seems.

So, being as though I'm sure this is low priority is there any ETA on it at all? I have automation that handles the installing of the UF. Now when checking the returns/results of a service restart I need to make sure to include bits to ensure the 'Warning' generated doesn't cause me problems.

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎07-17-2023 11:43 AM

Hi @Skeer-Jamf 

this is known issue, as long as splunkforwarder owned by correct user and working as expected, it wont cause any issue, refercene to known issues of UF

https://docs.splunk.com/Documentation/Splunk/9.1.0/ReleaseNotes/Knownissues 

SanjayReddy_0-1689619301268.png

 

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated.
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

Reply

patng_nw
Communicator
‎11-13-2023 06:40 PM

I want to point out that these two warnings are breaking my jobs because on some machines I am using the splunkforwarder CLI to run query on the splunk cluster and export the result to files.  

https://docs.splunk.com/Documentation/Splunk/9.1.1/Search/ExportdatausingCLI

These two extra warning lines were now written to the export files as well.

I think it is ok for the CLI to print warnings, but the splunk CLI should follow the best practice and write these warnings to the stderr.  But it's writing them to the stdout, so that we can't use the standard practice of " 2> err.txt 1> export.csv" to handle warnings.

Now I have to add these to ALL the script files which are running the splunkforwarder CLI, which is pretty ugly:
" | grep -vi "warning:" > export.csv"

Wish there is a flag to disable warnings, or the splunkforwarder CLI should at least write them to stderr instead of stdout.

0 Karma
Reply

SierraX369
Engager
‎07-02-2025 02:16 AM

A bit less ugly is to use `| sed -n '3,$p' > export.csv `

0 Karma
Reply

jfrench
Loves-to-Learn Lots
‎02-06-2024 07:04 PM

It is a breaking issue as I cannot run btool on my forwarders that are throwing this message. 

0 Karma
Reply

SierraX369
Engager
‎07-02-2025 12:28 AM

btool is a own program in $SPLUNK_HOME/bin
It is a bit more tricky to use because you have to be in splunk env.

I tested successful following procedure on UF 9.2.2

. /opt/splunkforwarder/bin/setSplunkEnv
btool inputs list

 without sourcing the Splunk Env you get missing libraries error:

/opt/splunkforwarder/bin/btool inputs list
/opt/splunkforwarder/bin/splunkd: error while loading shared libraries: libmongoc-1.0.so.0: cannot open shared object file: No such file or directory

 

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...