Splunk Enterprise

Why permission error after upgrade during restart?


Exception: <class 'PermissionError'>, Value: [Errno 13] Permission denied: '/opt/splunk/etc/system/local/authentication.conf.migratepreview'


Unable to restart Splunk after upgrade

Labels (2)
Tags (3)
0 Karma


What system is this? I assume this is some flavor of linux. Which distribution? How did you do the upgrade? (rpm? deb? tgz?) How was the original system installed?


0 Karma


Similar has happened to me for my last 2 upgrades (9.0.5 and  In both cases after the upgrade, some conf files end up with root:root ownership.  Before the upgrade they were splunk:splunk.

Offending files (plus 1 .pyc file and migration.log in var/log/splunk):




Primary concern are the conf files.  The upgrade is by .tgz file run as splunk:splunk.  The initial start is run by root cuz it needs root permissions to create the systemd boot-start file.  Is this just going to keep happening since I need to run "splunk enable boot-start . . . " as root?
It's not a big deal to run chown to fix everything, but it is a manually step when is sometimes forgotten.

0 Karma


Things don't happen by themselves usually. You must have sone something as root so that resulting files ended up being owned by root.

0 Karma


Make sure you performed the upgrade as the right user (the owner of Splunk as opposed to root).  Ensure all files in $SPLUNK_HOME are owned by the user running Splunk.

If this reply helps you, Karma would be appreciated.


I have inherited this system and the original owner is no longer with us.

How do I determine which account to use?

Is it better to uninstall and reinstall?


0 Karma


If Splunk is running : you can find the user running Splunk using 

ps -aux | grep -i Splunk

And find which user is running the process

If Splunk is not running : you can check who owns the $SPLUNK_HOME folder (usually under /opt/splunk)

As @richgalloway mentioned, you can try this command o be sure the user that will run Splunk has the ownership of the install path :

chown -R <user_meant_to_run_splunk> /opt/splunk


Good luck!

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...