What changes to Splunk configuration files require a restart of Splunk to take effect?
Is there a list or table somewhere that lists the changes that require restart? Why do some changes require restart, but other changes don't?
So far, I've only been able to figure this out empirically. Things which only affect search-time operations, such as macros.conf, props.conf, and most things in transforms.conf don't seem to need a restart. Changes to savedsearches.conf likely will need a restart, as these searches become REST(?) endpoints for queries to Splunkd. Things which affect server state, such as licensing changes, web server configuration, etc, all require restart. Updating views or navigation does not, see here (answers.splunk.com)
I like your "things that affect server state" category, I will make it Heuristic # 3 in my example below.
You may need to restart for changes to savedsearches.conf if -
- you have manually edited the file
- you want REST endpoints created
But you don't need to restart Splunk to use the saved searches from the Splunk UI
I have changed action.email.max results for one of the saved search from 10000 to 100000 from advanced settings. But I have not restarted splunk.
Changes have been reflected in savedsearch.conf files but this didn't worked as still the report showing results for 10000 files only.
So, does it mean here, we need restart of splunk ?
I am taking a stab at answering my own question, but a more definitive answer would be better!
Exception: changes to search-time field extractions in props.conf do not require a restart
Exception: .conf files for lookup tables, tags and eventtypes are also re-read for each search, so no restart is needed
Exception: changing the CSS does not require a restart (just click the Splunk logo to reload)
Exception: Adding a new input via the Splunk Manager (web interface) or CLI does not require a restart
Exception: Adding a new index via the Splunk Manager (web interface) or CLI does not require a restart
Examples that require a restart:
I believe that hitting http://myserver:8000/en-US/debug/refresh will catch at least a fair bit of the config file stuff. I almost exclusively hand-edit config files and debug/refresh does the trick. I will say that I think CSS actually doesn't seem to refresh properly/easily, probably until you bump the build number in your app.conf, then it would.
after doing some testing, I can add that:
1) hitting http://servername:splunkwebport/debug/refresh updates lots and lots of stuff, including changes to inputs.conf, indexes.conf, commands.conf--etc, see the whole list by hitting that URL and seeing the output.
2) it (#1 above) does NOT update changes made to props.conf except extracts.
3) | extract reload=t does NOT update index-time settings in props.conf either. 😞 so index-time settings in props.conf need a restart.
4) and #1 is only available on machines that have splunkweb running, so NA for UF or indexers with SW turned off.