When you first install splunk, everything in /opt/splunk/ is owned by "splunk".
However, if you're running splunk as root, everything created, from there on out, will be owned by "root".
To change this, stop splunk, run "/opt/splunk/bin/splunk enable boot-start -user splunk", then "chown -R splunk:splunk /opt/splunk" and start splunk back up.
(keep in mind that "splunk" probably won't be able to run on port 80/443 without changing OS permissions)
... View more