Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

thadjames
New Member
‎04-03-2015 12:22 PM

I'm a total splunk newbie, and I inherited a splunk server running on Red Hat Enterprise Linux 5. The other day, I did a reboot of the system. Since then, I can only view the current day's data when I run a search.

The version of splunk is 5.0.9. Build 213964 Platform linux x86_64. The splunkd service is running as root, but when I look in /opt/splunk/var/lib/splunk, I see that all the files except for the ones ending in .dat are owned by splunk:splunk. The .dat files are owned by root:root. Should they all be owned by root?

Tags (3)
0 Karma
Reply

masonmorales
Influencer
‎04-03-2015 01:28 PM

You can, but for security purposes, it's not recommended. Best practice is to have a dedicated splunk user account that owns all of the splunk files. See: http://wiki.splunk.com/Deploy:EnsuringSplunkRunsAsNonRootUser

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...