Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I reload savedsearches.conf without restarting?

echalex
Builder
‎10-09-2012 04:28 AM

Hi,

Since, I'm runnning into problems with concurrent historical searches approaching the limit, I decided to heed the advice of rescheduling them not to run on top of the hour every hour.

Since there are a lot of those, I prefer to do it in the shell:

cd etc/apps/webintelligence
egrep '^(cron.*|\[.*\])$' default/savedsearches.conf  | \
egrep -B 1 'cron_schedule = 0(\ \*){4}' | \ 
perl -pe 's/0((?:\ \*){4})/3$1\n/g' > local/savedsearches.conf

What this does, is take every stanza with a cron_schedule of 0 * * * * and turn it into 3 * * * *, ie. running it 3 minutes after the hour.

Unfortunately, Splunk doesn't recognise this change. (and I've tried |extract reload=T). If I click on each saved search, it will show the correct schedule, but under the "Searches and reports", it is still scheduled to run at 15:00, rather than 15:03.

So can I reload this configuration without restarting Splunk?

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-09-2012 04:46 AM

Yes. Hitting the /debug/refresh endpoint should activate these changes.

http(s)://yoursplunkhost:8000/debug/refresh

View solution in original post

Reply
Solved! Jump to solution

dougmartin
Path Finder
‎06-23-2016 06:51 AM

You can access specific reloads like this:
https://spliunk:8080/en-US/debug/refresh?entity=admin/savedsearch

Reply
Solved! Jump to solution

gfrjonp
Explorer
‎11-08-2012 06:51 PM

Check this out:
http://splunk-base.splunk.com/answers/5838/can-inputsconf-be-reloaded-without-restarting-splunkd?pag...

cd /opt/splunk/bin (or your $SPLUNK_BASE)
./splunk _internal call /services/data/inputs/monitor/_reload -auth

This will prompt you for username & pass of a web admin user.

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-09-2012 04:46 AM

Yes. Hitting the /debug/refresh endpoint should activate these changes.

http(s)://yoursplunkhost:8000/debug/refresh
Reply
Solved! Jump to solution

splunk68
Path Finder
‎05-17-2013 06:20 AM

It worked for me, on Splunk Search Head 5.0.2.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎10-09-2012 05:51 AM

Ok, that does explain it.
Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-09-2012 05:50 AM

I imagine this will not have effect on events that have already entered the scheduler.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎10-09-2012 05:28 AM

I still can't see the changes. It does seem that the new schedule enters into force after the next scheduled run, in any case.

Should it work for all apps?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-09-2012 05:16 AM

Sorry, my bad - the link should point to the regular Splunk web interface, not the splunkd port. Updated my answer with the correct link.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎10-09-2012 05:01 AM

Thanks,

It does not seem to work... Does it matter that that I get a 404 error from that url?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...