Hi!
What has worked for me, especially when I would run into permission issues early in my splunking career, is to follow the steps listed above, but then add the following touches (assuming splunk is the user you want to use):
sudo $SPLUNK_HOME/bin/splunk stop (no need to have splunkd cling to files/process that retain the previous ownership)
sudo su splunk
sudo chown -R splunk:splunk /opt/splunk(or where ever splunk is installed)
sudo $SPLUNK_HOME/bin/splunk start
Let splunk run through it's initialization process and BAM! Splunk is running as the new user, all of the ownership should be changed recursively throughout the file structure, and you've removed the need to reindex data or run chown multiple times. Hopefully this works with the same magical flair for you as it has for me. But you have shout "Bam!" with an exaggerated motion or else you break the magic. 🙂 happy splunking, my friend.
... View more