Initially when I checked in $SPLUNK_HOME/etc/splunk-launch.conf user name was csoc but then I changed it to indexer yesterday since I was having some issues.
It's currently still set as the indexer. SPLUNK_OS_USER=indexer
When I ran cat grep command on all 3 (csoc, indexer, splunk), it only brought results for indexer and splunk.
root@indexer:~# cat /etc/passwd | grep indexer
indexer:x:1000:1000:indexer,,,:/home/indexer:/bin/bash
root@indexer:~# cat /etc/passwd | grep splunk
splunk:x:1001:1001::/home/splunk:
Version 6.5.2
Modify the following line to suit the location of your Splunk install.
If unset, Splunk will use the parent of the directory containing the splunk
CLI executable.
SPLUNK_HOME=/home/build/build-home/ivory
By default, Splunk stores its indexes under SPLUNK_HOME in the
var/lib/splunk subdirectory. This can be overridden
here:
SPLUNK_DB=/home/build/build-home/ivory/var/lib/splunk
Splunkd daemon name
SPLUNK_SERVER_NAME=Splunkd
Splunkweb daemon name
SPLUNK_WEB_NAME=splunkweb
If SPLUNK_OS_USER is set, then Splunk service will only start
if the 'splunk [re]start [splunkd]' command is invoked by a user who
is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
(This setting can be specified as username or as UID.)
SPLUNK_OS_USER
SPLUNK_OS_USER=indexer
Ok, where to go from here?
... View more