Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing logs

BRFZ
Communicator
‎01-30-2026 01:43 AM

Hi everyone, 

I'm facing an issue on my Splunk environment and I'd like your advice.

After an upgrade, I noticed that I still had to restart/start/stop the Splunk process using sudo (even though before the upgrade it was already running under the correct user : USERX).

To address this, I stopped the Splunk on Indexers (not at the same time) and reassigned Splunk to run under USERX.

After this operation, I realized that one full day of logs is missing.

The issue is that before making this change, I didn't verify whether the logs for that specific day already existed, so I can't say for sure if the gap appeared exactly at that moment.

If anyone has seen something similar or has any ideas, I'd really appreciate your help.

Thank you in advance.

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎01-30-2026 02:58 AM

Hi @BRFZ 

If youve been periodically running the indexers under a different user then I suppose there is a chance that the permissions on the buckets for that period of time are owned by a user that Splunk running under the other user cannot see. 

I would suggest checking the ownership of all buckets to ensure they are owned by the user that Splunk is running as. Typically this would be in $SPLUNK_HOME/var/lib/splunk/<indexName>

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

BRFZ
Communicator
‎02-02-2026 12:37 AM

Hi @livehybrid 

Thank you for your response. I have verified this point, and the ownership of all buckets is set to the user that Splunk is running as.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...