Deployment Architecture

Find changes that require a restart of Splunk?

BenjaminWyatt
Communicator

I logged into Splunk today, and got the dreaded "Splunk must be restarted for changes to take effect" message. The thing is, neither I nor anyone on my team made any changes that require a restart. So now I'm combing through the logs, trying to figure out what the change was that Splunk is complaining about, but I'm having trouble determining where to look - I've mainly been looking at _audit events, but I'm not finding anything there. How do you all go about finding these sorts of changes?

lukejadamec
Super Champion

Try looking in the _internal index, and search for "*restart*", or "*required a restart*".

I don't think you will see what you're looking for in _audit.

0 Karma

lukejadamec
Super Champion

If Splunk did not log an event that would require a restart, then once you find it you should submit a bug report.
If it is not in the splunk log, then I recommend searching the Splunk directory for file system changes that night.
You can also search the system's logs for activity pertaining to "*splunk*" over that timeframe.

0 Karma

BenjaminWyatt
Communicator

I did a search for LocalAppsAdminHandler and didn't see anything.

Yes, that's the message I'm seeing when users see the banner.

0 Karma

lukejadamec
Super Champion

Chances are you are looking for a single message.

Try searching for LocalAppsAdminHandler.
Is the message you're seeing "GET /services/messages/restart_required"?

0 Karma

BenjaminWyatt
Communicator

I looked at that, but it appears the only events I find with "restart" are logs associated with users seeing the "requires a restart" message - not with the event that caused the need for a restart. Any other ideas where it might be hiding?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...