Re: Why do I only see the current day's results in...

thadjames · ‎04-03-2015

I'm a total splunk newbie, and I inherited a splunk server running on Red Hat Enterprise Linux 5. The other day, I did a reboot of the system. Since then, I can only view the current day's data when I run a search.

The version of splunk is 5.0.9. Build 213964 Platform linux x86_64. The splunkd service is running as root, but when I look in /opt/splunk/var/lib/splunk, I see that all the files except for the ones ending in .dat are owned by splunk:splunk. The .dat files are owned by root:root. Should they all be owned by root?

masonmorales · ‎04-03-2015

You can, but for security purposes, it's not recommended. Best practice is to have a dedicated splunk user account that owns all of the splunk files. See: http://wiki.splunk.com/Deploy:EnsuringSplunkRunsAsNonRootUser

Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Community Content Calendar, September edition

Are you a member of the Splunk Community?

Why do I only see the current day's results in searches and should all files in /opt/splunk/var/lib/splunk be owned by root?

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Community Content Calendar, September edition