I just tested the Splunk discovery and I have some issues:
I'm using Splunk 6.2.5
Any Splunk command launched by tideway user cannot execute:
-bash-4.2$ su - tideway
[tideway@centos7 ~]$ /opt/splunk/bin/splunk version
Error setting the real and effective group id:Operation not permitted(1)
configured_asPath=splunk configured_asUID=1000 rv__drop_priv_perm=-1 Failed to set effective and real user to value of env var SPLUNK_OS_USER, "splunk"; exiting.: Operation not permitted
FYI, the command "splunk show license" is deprecated.
Thanks a lot for your feedback. I have sent you a message so that we can work offline on this and fix/enhance the pattern accordingly.