Deployment Architecture

What changes to configuration files require a restart of Splunk?

Legend

What changes to Splunk configuration files require a restart of Splunk to take effect?

Is there a list or table somewhere that lists the changes that require restart? Why do some changes require restart, but other changes don't?

Tags (1)
1 Solution

Path Finder

I've read the Splunk docs (latest version, 6.4.1) topic "When to restart Splunk Enterprise after a configuration file change" mentioned here, and that's a good start, but I'd like more clarity and detail, because that current doc does not address some of my specific use cases. (With apologies if it does, and I have simply failed to notice it, even after reading it several times.)

I'm planning to use the REST API configuration endpoints to create, update, and (possibly) delete "raw" TCP inputs, including TCP with SSL/TLS, defined in tcp and tcp-ssl stanzas in inputs.conf. I know that Splunk Web uses the REST API, and I have previously used Splunk Web to create data inputs, and then used them without restarting splunkd, so my guess is that I can probably use the REST API myself to do this without restarting splunkd. But I haven't analyzed Ajax calls by Splunk Web in enough detail to know whether it follows those configuration endpoint calls with, say, a call to refresh inputs. Minor observation: when I view TCP inputs (that I have created by directly editing inputs.conf) in Splunk Web, that UI doesn't appear to distinguish between SSL and non-SSL TCP inputs; I'm about to find out whether this has any basis in the REST API.

The "When to restart..." docs topic states:

Changes made in Splunk Web are less likely to require restarts.

but doesn't specifically mention the REST API. I wish it did.

I'm also considering using the REST API to update settings in the SSL stanza of inputs.conf, affecting SSL/TLS-specific aspects of inputs defined in tcp-ssl stanzas. Currently, to test different SSL configurations (such as different cipher suites, or client authentication), I'm editing the SSL stanza directly in inputs.conf, and then restarting splunkd. It would be nice to be able to use the REST API to update specific keys in the SSL stanza, and for that to (to borrow some words from the "When to restart..." topic) "automatically ... notify the running Splunk instance (splunkd) of the changes". I'll quickly find out for myself whether or not this actually happens, but it would be nice for the docs to describe the expected behavior.

0 Karma

Path Finder

Explorer

after doing some testing, I can add that:

1) hitting http://servername:splunkwebport/debug/refresh updates lots and lots of stuff, including changes to inputs.conf, indexes.conf, commands.conf--etc, see the whole list by hitting that URL and seeing the output.

2) it (#1 above) does NOT update changes made to props.conf except extracts.

3) | extract reload=t does NOT update index-time settings in props.conf either. 😞 so index-time settings in props.conf need a restart.

4) and #1 is only available on machines that have splunkweb running, so NA for UF or indexers with SW turned off.

0 Karma

Legend

I am taking a stab at answering my own question, but a more definitive answer would be better!


Heuristic 1: Any changes made by editing .conf files directly will require a restart.

Exception: changes to search-time field extractions in props.conf do not require a restart
Exception: .conf files for lookup tables, tags and eventtypes are also re-read for each search, so no restart is needed
Exception: changing the CSS does not require a restart (just click the Splunk logo to reload)


Heuristic 2: Any changes that affect indexing, in general, will require a Splunk restart.

Exception: Adding a new input via the Splunk Manager (web interface) or CLI does not require a restart
Exception: Adding a new index via the Splunk Manager (web interface) or CLI does not require a restart


Heuristic 3. Any changes to server state, in general, will require a Splunk restart.

Examples that require a restart:

  • Changes to general indexer settings (minimum free disk space, default server name, etc.)
  • Changes to General Settings (eg., port settings)
  • Changing a forwarder's output settings
  • Changing the timezone in the OS of a splunk server (Splunk retrieves its local timezone from the underlying OS at startup) ___ #### Other changes that require a restart
  • Creating a pool of search heads
  • Removing an input
  • Enabling SSL for Splunk Web access (you really only need to restart splunkweb)
  • Installing an Enterprise license for the first time on a license master
  • Installing some apps (not all)
    ___ If you make changes using the Splunk Manager in the web interface, you will reduce the restarts needed. This is because the Manager will both update the underlying configuration file(s) and notify the running Splunk instance (splunkd) of the changes.

Splunk Employee
Splunk Employee

I believe that hitting http://myserver:8000/en-US/debug/refresh will catch at least a fair bit of the config file stuff. I almost exclusively hand-edit config files and debug/refresh does the trick. I will say that I think CSS actually doesn't seem to refresh properly/easily, probably until you bump the build number in your app.conf, then it would.

Path Finder

So far, I've only been able to figure this out empirically. Things which only affect search-time operations, such as macros.conf, props.conf, and most things in transforms.conf don't seem to need a restart. Changes to savedsearches.conf likely will need a restart, as these searches become REST(?) endpoints for queries to Splunkd. Things which affect server state, such as licensing changes, web server configuration, etc, all require restart. Updating views or navigation does not, see here (answers.splunk.com)

Legend

You may need to restart for changes to savedsearches.conf if -

- you have manually edited the file

- you want REST endpoints created

But you don't need to restart Splunk to use the saved searches from the Splunk UI

0 Karma

Communicator

Hi @lguinn2
I have changed action.email.max results for one of the saved search from 10000 to 100000 from advanced settings. But I have not restarted splunk.
Changes have been reflected in savedsearch.conf files but this didn't worked as still the report showing results for 10000 files only.
So, does it mean here, we need restart of splunk ?

0 Karma

Legend

I like your "things that affect server state" category, I will make it Heuristic # 3 in my example below.

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Legend

This is a good start!

0 Karma