Archive
Highlighted

Determine Splunkd restart reason

Path Finder

I have a user who did something that is now prompting for a splunk restart.

Is there any way to determine what config change they made?

I've looked through the _internal index but with no luck.

Thanks!

Tags (1)
0 Karma
Highlighted

Re: Determine Splunkd restart reason

Splunk Employee
Splunk Employee

The _audit index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc). Look for action=update. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.

View solution in original post

0 Karma
Highlighted

Re: Determine Splunkd restart reason

Path Finder

Thanks! It was most likely going to a page where a change may have happend.

0 Karma