Deployment Architecture
Highlighted

What changes to configuration files require a restart of Splunk?

Legend

What changes to Splunk configuration files require a restart of Splunk to take effect?

Is there a list or table somewhere that lists the changes that require restart? Why do some changes require restart, but other changes don't?

Tags (1)
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Splunk Employee
Splunk Employee
0 Karma
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Legend

This is a good start!

0 Karma
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Path Finder

So far, I've only been able to figure this out empirically. Things which only affect search-time operations, such as macros.conf, props.conf, and most things in transforms.conf don't seem to need a restart. Changes to savedsearches.conf likely will need a restart, as these searches become REST(?) endpoints for queries to Splunkd. Things which affect server state, such as licensing changes, web server configuration, etc, all require restart. Updating views or navigation does not, see here (answers.splunk.com)

Highlighted

Re: What changes to configuration files require a restart of Splunk?

Legend

I like your "things that affect server state" category, I will make it Heuristic # 3 in my example below.

0 Karma
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Legend

You may need to restart for changes to savedsearches.conf if -

- you have manually edited the file

- you want REST endpoints created

But you don't need to restart Splunk to use the saved searches from the Splunk UI

0 Karma
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Communicator

Hi @lguinn2
I have changed action.email.max results for one of the saved search from 10000 to 100000 from advanced settings. But I have not restarted splunk.
Changes have been reflected in savedsearch.conf files but this didn't worked as still the report showing results for 10000 files only.
So, does it mean here, we need restart of splunk ?

0 Karma
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Legend

I am taking a stab at answering my own question, but a more definitive answer would be better!


Heuristic 1: Any changes made by editing .conf files directly will require a restart.

Exception: changes to search-time field extractions in props.conf do not require a restart
Exception: .conf files for lookup tables, tags and eventtypes are also re-read for each search, so no restart is needed
Exception: changing the CSS does not require a restart (just click the Splunk logo to reload)


Heuristic 2: Any changes that affect indexing, in general, will require a Splunk restart.

Exception: Adding a new input via the Splunk Manager (web interface) or CLI does not require a restart
Exception: Adding a new index via the Splunk Manager (web interface) or CLI does not require a restart


Heuristic 3. Any changes to server state, in general, will require a Splunk restart.

Examples that require a restart:

  • Changes to general indexer settings (minimum free disk space, default server name, etc.)
  • Changes to General Settings (eg., port settings)
  • Changing a forwarder's output settings
  • Changing the timezone in the OS of a splunk server (Splunk retrieves its local timezone from the underlying OS at startup) ___ #### Other changes that require a restart
  • Creating a pool of search heads
  • Removing an input
  • Enabling SSL for Splunk Web access (you really only need to restart splunkweb)
  • Installing an Enterprise license for the first time on a license master
  • Installing some apps (not all)
    ___ If you make changes using the Splunk Manager in the web interface, you will reduce the restarts needed. This is because the Manager will both update the underlying configuration file(s) and notify the running Splunk instance (splunkd) of the changes.
Highlighted

Re: What changes to configuration files require a restart of Splunk?

Splunk Employee
Splunk Employee

I believe that hitting http://myserver:8000/en-US/debug/refresh will catch at least a fair bit of the config file stuff. I almost exclusively hand-edit config files and debug/refresh does the trick. I will say that I think CSS actually doesn't seem to refresh properly/easily, probably until you bump the build number in your app.conf, then it would.

Highlighted

Re: What changes to configuration files require a restart of Splunk?

Explorer

after doing some testing, I can add that:

1) hitting http://servername:splunkwebport/debug/refresh updates lots and lots of stuff, including changes to inputs.conf, indexes.conf, commands.conf--etc, see the whole list by hitting that URL and seeing the output.

2) it (#1 above) does NOT update changes made to props.conf except extracts.

3) | extract reload=t does NOT update index-time settings in props.conf either. 😞 so index-time settings in props.conf need a restart.

4) and #1 is only available on machines that have splunkweb running, so NA for UF or indexers with SW turned off.

0 Karma