Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find changes that require a restart of Splunk?

BenjaminWyatt
Communicator
‎08-22-2013 12:28 PM

I logged into Splunk today, and got the dreaded "Splunk must be restarted for changes to take effect" message. The thing is, neither I nor anyone on my team made any changes that require a restart. So now I'm combing through the logs, trying to figure out what the change was that Splunk is complaining about, but I'm having trouble determining where to look - I've mainly been looking at _audit events, but I'm not finding anything there. How do you all go about finding these sorts of changes?

Reply

lukejadamec
Super Champion
‎08-22-2013 12:49 PM

Try looking in the _internal index, and search for "*restart*", or "*required a restart*".

I don't think you will see what you're looking for in _audit.

0 Karma
Reply

lukejadamec
Super Champion
‎08-23-2013 12:20 PM

If Splunk did not log an event that would require a restart, then once you find it you should submit a bug report.
If it is not in the splunk log, then I recommend searching the Splunk directory for file system changes that night.
You can also search the system's logs for activity pertaining to "*splunk*" over that timeframe.

0 Karma
Reply

BenjaminWyatt
Communicator
‎08-22-2013 08:06 PM

I did a search for LocalAppsAdminHandler and didn't see anything.

Yes, that's the message I'm seeing when users see the banner.

0 Karma
Reply

lukejadamec
Super Champion
‎08-22-2013 02:28 PM

Chances are you are looking for a single message.

Try searching for LocalAppsAdminHandler.
Is the message you're seeing "GET /services/messages/restart_required"?

0 Karma
Reply

BenjaminWyatt
Communicator
‎08-22-2013 02:02 PM

I looked at that, but it appears the only events I find with "restart" are logs associated with users seeing the "requires a restart" message - not with the event that caused the need for a restart. Any other ideas where it might be hiding?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...