I'm still seeing this behavoir in an upgrade to 9.2.1 (via rpm). This system was running an older version of splunk. the "splunk" user did exist, and logs were showing up in the indexers/web-search. the service is running via systemd. upon starting it chowned everything to the wrong user (splunkfwd) and it couldn't access its config and exited. lol. please splunk, do not force user names or groups names and don't change them during an update! It is not the (unix) way. (don't get me started about the main splunk process being able to modifiy its own config and binaries and execute the altered binaries. that just isn't safe.) I reverted to a snapshot. at least splunk runs and logs again. Unfortunately, this is a compliance failure at modern companies. > Now tell me again why this stunt was necessary.
... View more