I'm a total splunk newbie, and I inherited a splunk server running on Red Hat Enterprise Linux 5. The other day, I did a reboot of the system. Since then, I can only view the current day's data when I run a search.
The version of splunk is 5.0.9. Build 213964 Platform linux x86_64. The splunkd service is running as root, but when I look in /opt/splunk/var/lib/splunk
, I see that all the files except for the ones ending in .dat are owned by splunk:splunk. The .dat files are owned by root:root. Should they all be owned by root?
You can, but for security purposes, it's not recommended. Best practice is to have a dedicated splunk user account that owns all of the splunk files. See: http://wiki.splunk.com/Deploy:EnsuringSplunkRunsAsNonRootUser