Deployment Architecture

Can I reload savedsearches.conf without restarting?

echalex
Builder

Hi,

Since, I'm runnning into problems with concurrent historical searches approaching the limit, I decided to heed the advice of rescheduling them not to run on top of the hour every hour.

Since there are a lot of those, I prefer to do it in the shell:

cd etc/apps/webintelligence
egrep '^(cron.*|\[.*\])$' default/savedsearches.conf  | \
egrep -B 1 'cron_schedule = 0(\ \*){4}' | \ 
perl -pe 's/0((?:\ \*){4})/3$1\n/g' > local/savedsearches.conf

What this does, is take every stanza with a cron_schedule of 0 * * * * and turn it into 3 * * * *, ie. running it 3 minutes after the hour.

Unfortunately, Splunk doesn't recognise this change. (and I've tried |extract reload=T). If I click on each saved search, it will show the correct schedule, but under the "Searches and reports", it is still scheduled to run at 15:00, rather than 15:03.

So can I reload this configuration without restarting Splunk?

1 Solution

Ayn
Legend

Yes. Hitting the /debug/refresh endpoint should activate these changes.

http(s)://yoursplunkhost:8000/debug/refresh

View solution in original post

dougmartin
Path Finder

You can access specific reloads like this:
https://spliunk:8080/en-US/debug/refresh?entity=admin/savedsearch

gfrjonp
Explorer

Check this out:
http://splunk-base.splunk.com/answers/5838/can-inputsconf-be-reloaded-without-restarting-splunkd?pag...

cd /opt/splunk/bin (or your $SPLUNK_BASE)
./splunk _internal call /services/data/inputs/monitor/_reload -auth

This will prompt you for username & pass of a web admin user.

Ayn
Legend

Yes. Hitting the /debug/refresh endpoint should activate these changes.

http(s)://yoursplunkhost:8000/debug/refresh

splunk68
Path Finder

It worked for me, on Splunk Search Head 5.0.2.

0 Karma

echalex
Builder

Ok, that does explain it.
Thanks for your help!

0 Karma

Ayn
Legend

I imagine this will not have effect on events that have already entered the scheduler.

0 Karma

echalex
Builder

I still can't see the changes. It does seem that the new schedule enters into force after the next scheduled run, in any case.

Should it work for all apps?

0 Karma

Ayn
Legend

Sorry, my bad - the link should point to the regular Splunk web interface, not the splunkd port. Updated my answer with the correct link.

0 Karma

echalex
Builder

Thanks,

It does not seem to work... Does it matter that that I get a 404 error from that url?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...