Deployment Architecture

What is the 'Restart Splunkd' option for ?

BG
Explorer

BG_0-1669469255667.png

1) Which 'splunkd' is this referring to? The Universal Forwarder or Splunk Enterprise (the Deployment Server)?

2) 'After installation' of what....the deployment app?

3) Does this tick box cause the Universal Forwarder to restart each time there's a modification to the deployment app, e.g. a change to inputs.conf 

0 Karma

BG
Explorer

OK, I finally got this all working, e.g. the remote file monitor is now getting the data into an index.

The issue was not actually due to a missing tick in the 'Restart splunkd' box. For some reason on my Deployment Server, it is necessary to issue the following command (after first switching to user 'splunk'):

/opt/splunk/bin/splunk reload deploy-server -class [classname]

To clarify, even though my deployment client is phoning home OK and downloading the new config, and the local splunkd service is restarting which loads the new config, for some reason the data isn't sent to the Splunk Cloud indexer until the serverclass is 'reloaded'.

If anyone can point me in the direction of official Splunk documentation that described the '-class' option of the 'deploy-server' reload command, that would be much appreciated.

0 Karma

BG
Explorer

OK, thanks for the answer.

I had read that documentation before but it wasn't clear on that specific point about when the restart occurs:

"immediately after a deployment client downloads the app" - I read this to mean splunkd restarts after the UF downloads the app, but this doesn't mean subsequent changes to the app result in a splunkd restart. If it does indeed mean splunkd restarts each time the deployment client phones home and downloads updates, then that is of course a good feature, but the documentation needs to be clearer on that point.

The main reason I'm querying this is that I recently had a problem where my UF (Deployment Client) wasn't sending data to Splunk Cloud even though it had been restarted via the CLI (e.g. $SPLUNK_HOME/bin/splunk.exe restart). When I ticked the 'Restart splunkd' box, Splunk Cloud started receiving data from UF shortly after. Hence the reason I asked if there's a difference between these two methods for restarting the UF service. Furthermore, this is on a Windows 2019 server. I've not had this issue on Linux server deployment clients. I have built 6 deployment apps for 6 different applications running on Linux boxes, and none of them have the 'Restart splunkd' box ticked within the Deployment Server, yet they all respond to deployment app updates via a UF restart from the command line.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

I understand your manual splunk service restart did not work on the windows UF (hmm, the windows may give us such issues often) and i see when you update the tick box for splunkd restart, it works fine. 

There are around 3 methods to restart a windows UF splunk service. Pls check them at:
https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Configurationfilechangesthatrequirerestart

This document suggest us when to restart splunk services for UF, HF and indexer. 

 

As a general rule, when we make changes to config files, we must restart the splunk service. 

 

I am not sure of the windows UF restart method, all the times our UF are linux servers. This document provides the ideas for windows splunk service restart methods.

https://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/StartSplunk#Start_Splunk_Enterprise_on_Wind...

 

Question - If it does indeed mean splunkd restarts each time the deployment client phones home and downloads updates, then that is of course a good feature, but the documentation needs to be clearer on that point.

The UF at regular intervals, will phone home to Deployment Server and each time it should not restart the splunk service. only splunk service restart should happen when there is really a config change. 

By default, a Splunk Universal Forwarder or full Splunk Enterprise instance will phone home to the deployment server every 60 seconds. (i could not find the splunk doc link.. i found only this.. https://www.pixelchef.net/identifying-splunk-forwarders-phone-home-too-frequently#:~:text=By%20defau...)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

inventsekar
SplunkTrust
SplunkTrust

Hi @BG .. 

1) Which 'splunkd' is this referring to? The Universal Forwarder or Splunk Enterprise (the Deployment Server)?
The "splunkd" referred here is the UF's splunkd. This option helps splunk admins to restart the splunkd on the Universal Forwarder after an app gets deployed. 

2) 'After installation' of what....the deployment app?
yes, exactly, the deployment app.

3) Does this tick box cause the Universal Forwarder to restart each time there's a modification to the deployment app, e.g. a change to inputs.conf 

Yes, when we change inputs.conf and deploy the app to UF, the UF should restart, for the inputs.conf changes to take effect. So we need to select the tick box "Restart Splunkd" tick box. 

 

more details on the documentation page:

https://docs.splunk.com/Documentation/Splunk/9.0.2/Updating/Useforwardermanagementtomanageapps

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...