Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it mandatory to create the "splunkfwd" user for Universal Forwarder 9.4.0 or higher version

Nraj87
Explorer
‎06-17-2025 05:54 AM

The splunkfwd user is created by default in version 9.1, and seeing the warning "User splunkfwd does not exist - using root" while upgrade.

the upgrade guide does not say that creating the splunkfwd user is mandatory for Universal Forwarder installations or upgrades.

Upgrade the universal forwarder | Splunk Docs
"When you upgrade, the RPM/DEB package installer retrieves the file owner of SPLUNK_HOME/etc/myinstall/splunkd.xml. If a previous user exists, the RPM/DEB package installer will not create a splunkfwd user and instead will reuse the existing user. If you wish to create a least privileged user, that is, the splunkfwd user, you must remove the existing user first."


the warning appears during the upgrade regarding the missing splunkfwd user, there are no permission issues, and the forwarder is functioning properly with "splunk" User.

Appreciate your guidance on whether it is mandatory to create the splunkfwd user for Universal Forwarder9.4.0 or higher version?

Note: in this topic Splunk enterprise and Splunk UF not installed on the same machine

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-17-2025 07:02 AM

Hi

You should always have separate user for running UF on any box. What this user name should be and is it local or centrally managed depends on your company's policies. Anyhow it should be something else than root!

Earlier that user was splunk as also in enterprise. In some phases it has changed to splunkfwd. I'm not sure if it's currently again splunk or still splunkfwd. 

If/when you are using your OS's package manager to install Splunk UF then it creates that user and usually you don't need to take care of it. But when you are using tar.gz package and install it manually or with some scripts, you must create that OS level user by yourself.

The most important task is check that this user owns all files under SPLUNK_HOME and the correct OS user name is used in enable boot startup settings! Basically this user name can be what ever you want, but if/when you are using something else than those default you must do chown -R always after you have update UF version!

With earlier splunk versions you must grant access for this user to your monitored log files. Currently this is not needed if/when you are using systemd start scripts. It this change good or not is another story?

You could look more:

r. Ismo

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...