Solved: Determine Splunkd restart reason

Derek · ‎07-13-2010

I have a user who did something that is now prompting for a splunk restart.

Is there any way to determine what config change they made?

I've looked through the _internal index but with no luck.

Thanks!

gkanapathy · ‎07-13-2010

The _audit index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc). Look for action=update. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.

View solution in original post

gkanapathy · ‎07-13-2010

The _audit index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc). Look for action=update. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.

Derek · ‎07-14-2010

Thanks! It was most likely going to a page where a change may have happend.

Determine Splunkd restart reason

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life