When you first install splunk, everything in /opt/splunk/ is owned by "splunk". However, if you're running splunk as root, everything created, from there on out, will be owned by "root". To change this, stop splunk, run "/opt/splunk/bin/splunk enable boot-start -user splunk", then "chown -R splunk:splunk /opt/splunk" and start splunk back up. (keep in mind that "splunk" probably won't be able to run on port 80/443 without changing OS permissions) ... View more