Deployment Architecture

Find changes that require a restart of Splunk?

BenjaminWyatt
Communicator

I logged into Splunk today, and got the dreaded "Splunk must be restarted for changes to take effect" message. The thing is, neither I nor anyone on my team made any changes that require a restart. So now I'm combing through the logs, trying to figure out what the change was that Splunk is complaining about, but I'm having trouble determining where to look - I've mainly been looking at _audit events, but I'm not finding anything there. How do you all go about finding these sorts of changes?

lukejadamec
Super Champion

Try looking in the _internal index, and search for "*restart*", or "*required a restart*".

I don't think you will see what you're looking for in _audit.

0 Karma

lukejadamec
Super Champion

If Splunk did not log an event that would require a restart, then once you find it you should submit a bug report.
If it is not in the splunk log, then I recommend searching the Splunk directory for file system changes that night.
You can also search the system's logs for activity pertaining to "*splunk*" over that timeframe.

0 Karma

BenjaminWyatt
Communicator

I did a search for LocalAppsAdminHandler and didn't see anything.

Yes, that's the message I'm seeing when users see the banner.

0 Karma

lukejadamec
Super Champion

Chances are you are looking for a single message.

Try searching for LocalAppsAdminHandler.
Is the message you're seeing "GET /services/messages/restart_required"?

0 Karma

BenjaminWyatt
Communicator

I looked at that, but it appears the only events I find with "restart" are logs associated with users seeing the "requires a restart" message - not with the event that caused the need for a restart. Any other ideas where it might be hiding?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...