Initially when I checked in $SPLUNK_HOME/etc/splunk-launch.conf user name was csoc but then I changed it to indexer yesterday since I was having some issues.
It's currently still set as the indexer. SPLUNK_OS_USER=indexer
When I ran cat grep command on all 3 (csoc, indexer, splunk), it only brought results for indexer and splunk.
root@indexer:~# cat /etc/passwd | grep indexer
root@indexer:~# cat /etc/passwd | grep splunk
Modify the following line to suit the location of your Splunk install.
If unset, Splunk will use the parent of the directory containing the splunk
By default, Splunk stores its indexes under SPLUNK_HOME in the
var/lib/splunk subdirectory. This can be overridden
Splunkd daemon name
Splunkweb daemon name
If SPLUNK_OS_USER is set, then Splunk service will only start
if the 'splunk [re]start [splunkd]' command is invoked by a user who
is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
(This setting can be specified as username or as UID.)
Ok, where to go from here?
... View more