Archive

How can I force Splunk to reread a config file every now and then in addition to when it changes?

Builder

All,

I am bringing in a number of configs as sourcetype=config_file via inputs.conf and I am pretty happy with it. How ever the index I am using is aging out some of the config_files. Is there a way to ensure the config files are reread every week or so in addition to bringing them in when the file changes?

0 Karma
1 Solution

Builder

Ended up giving up and creating a one line script that just says "cat /etc/passwd and created these stanzas. Verified the cat output is Md5 identical to to a monitor input so works out.

# /etc/passwd
[monitor:///etc/passwd]
  index=os
  sourcetype=config_file
  disabled = 0

[script://./bin/catPasswd.sh]
  sourcetype = config_file
  source=/etc/passwd
  interval = 86400
  index = os
  disabled = 0

[fschange:/etc/passwd]
  index = os
  recurse = false
  pollPeriod = 60
  hashMaxSize=1000
  disabled = 0

View solution in original post

0 Karma

Builder

Ended up giving up and creating a one line script that just says "cat /etc/passwd and created these stanzas. Verified the cat output is Md5 identical to to a monitor input so works out.

# /etc/passwd
[monitor:///etc/passwd]
  index=os
  sourcetype=config_file
  disabled = 0

[script://./bin/catPasswd.sh]
  sourcetype = config_file
  source=/etc/passwd
  interval = 86400
  index = os
  disabled = 0

[fschange:/etc/passwd]
  index = os
  recurse = false
  pollPeriod = 60
  hashMaxSize=1000
  disabled = 0

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi daniel333,

there is the /debug/refresh endpoint to reload configs, but be aware it will reload inputs on the fly and current connection will just be dropped.
The other option is to check a specific REST endpoint http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTlist if it supports the _reload option and only reload the specific endpoint.

Hope this helps ...

cheers, MuS

SplunkTrust
SplunkTrust

Update, if you want to reload just one config using the debug/refresh endpoint you can follow this instruction http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart#...

SplunkTrust
SplunkTrust

I just realised that I completely misunderstood your question :facepalm:

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!