I pack an splunk app by tar command in an linux host, running as a root user. As a result the owner and group owner are both 'root'. After I installed to Splunk Enterprise, I found that the depressed directory and its files are all owned by 'root['. However, other installed app directories and files are belong to 'splunk'.
So, should I su to splunk first and then pack the app file?
Hiya - My preference is the Splunk Enterprise CLI command . Ideally Splunk isn't running as root so run this as the same user Splunk is running as. I find it does the best job ensuring the package is most compliant. You MAY still need to tweak file and directory permissions, remove hidden files, and clean up any local dir content before you wanna publish it for others.
If the app is owned by any user but is world (or at least splunk) readable, it should "mostly work" meaning that splunk will he able to read its contents and apply settings. But you may face problems if the app is more complicated than a simple list of props/transforms. For example if the app is configured from the WebUI and writes its settings into its own local folder. That will of course not work if splunkd does not have permissions to write to that dir.
So long story short - do change your app files/dirs ownership to your splunk user.
Hiya - My preference is the Splunk Enterprise CLI command . Ideally Splunk isn't running as root so run this as the same user Splunk is running as. I find it does the best job ensuring the package is most compliant. You MAY still need to tweak file and directory permissions, remove hidden files, and clean up any local dir content before you wanna publish it for others.
Thanks for your help. I found that I trigger the splunkd as root, not splunk.