We're seeing a banner indicating that a restart is required to make changes effective. But nobody knows what changed (the users with admin rights appear to not have made any changes). Before restarting (and potentially breaking something), is there a way to know what change Splunk thinks it needs to restart for?
you could try a ls on the config files and sort by modified date. But i think it is almost impossible to know for certain what config changed. Unless you have fschange on splunk config files..
this change is triggered by actions in the UI, not by modifications of config per se. So it is possible that config might not have been changed, or changed and changed back, or changed innocuously. (e.g., doing a "save" on any index editing screen, even without making changes) will cause this banner to appear.