Deployment Architecture

What is the 'Restart Splunkd' option for ?

BG
Explorer

BG_0-1669469255667.png

1) Which 'splunkd' is this referring to? The Universal Forwarder or Splunk Enterprise (the Deployment Server)?

2) 'After installation' of what....the deployment app?

3) Does this tick box cause the Universal Forwarder to restart each time there's a modification to the deployment app, e.g. a change to inputs.conf 

0 Karma

BG
Explorer

OK, I finally got this all working, e.g. the remote file monitor is now getting the data into an index.

The issue was not actually due to a missing tick in the 'Restart splunkd' box. For some reason on my Deployment Server, it is necessary to issue the following command (after first switching to user 'splunk'):

/opt/splunk/bin/splunk reload deploy-server -class [classname]

To clarify, even though my deployment client is phoning home OK and downloading the new config, and the local splunkd service is restarting which loads the new config, for some reason the data isn't sent to the Splunk Cloud indexer until the serverclass is 'reloaded'.

If anyone can point me in the direction of official Splunk documentation that described the '-class' option of the 'deploy-server' reload command, that would be much appreciated.

0 Karma

BG
Explorer

OK, thanks for the answer.

I had read that documentation before but it wasn't clear on that specific point about when the restart occurs:

"immediately after a deployment client downloads the app" - I read this to mean splunkd restarts after the UF downloads the app, but this doesn't mean subsequent changes to the app result in a splunkd restart. If it does indeed mean splunkd restarts each time the deployment client phones home and downloads updates, then that is of course a good feature, but the documentation needs to be clearer on that point.

The main reason I'm querying this is that I recently had a problem where my UF (Deployment Client) wasn't sending data to Splunk Cloud even though it had been restarted via the CLI (e.g. $SPLUNK_HOME/bin/splunk.exe restart). When I ticked the 'Restart splunkd' box, Splunk Cloud started receiving data from UF shortly after. Hence the reason I asked if there's a difference between these two methods for restarting the UF service. Furthermore, this is on a Windows 2019 server. I've not had this issue on Linux server deployment clients. I have built 6 deployment apps for 6 different applications running on Linux boxes, and none of them have the 'Restart splunkd' box ticked within the Deployment Server, yet they all respond to deployment app updates via a UF restart from the command line.

0 Karma

inventsekar
Ultra Champion

I understand your manual splunk service restart did not work on the windows UF (hmm, the windows may give us such issues often) and i see when you update the tick box for splunkd restart, it works fine. 

There are around 3 methods to restart a windows UF splunk service. Pls check them at:
https://docs.splunk.com/Documentation/Splunk/9.0.2/Admin/Configurationfilechangesthatrequirerestart

This document suggest us when to restart splunk services for UF, HF and indexer. 

 

As a general rule, when we make changes to config files, we must restart the splunk service. 

 

I am not sure of the windows UF restart method, all the times our UF are linux servers. This document provides the ideas for windows splunk service restart methods.

https://docs.splunk.com/Documentation/Splunk/7.0.3/Admin/StartSplunk#Start_Splunk_Enterprise_on_Wind...

 

Question - If it does indeed mean splunkd restarts each time the deployment client phones home and downloads updates, then that is of course a good feature, but the documentation needs to be clearer on that point.

The UF at regular intervals, will phone home to Deployment Server and each time it should not restart the splunk service. only splunk service restart should happen when there is really a config change. 

By default, a Splunk Universal Forwarder or full Splunk Enterprise instance will phone home to the deployment server every 60 seconds. (i could not find the splunk doc link.. i found only this.. https://www.pixelchef.net/identifying-splunk-forwarders-phone-home-too-frequently#:~:text=By%20defau...)

inventsekar
Ultra Champion

Hi @BG .. 

1) Which 'splunkd' is this referring to? The Universal Forwarder or Splunk Enterprise (the Deployment Server)?
The "splunkd" referred here is the UF's splunkd. This option helps splunk admins to restart the splunkd on the Universal Forwarder after an app gets deployed. 

2) 'After installation' of what....the deployment app?
yes, exactly, the deployment app.

3) Does this tick box cause the Universal Forwarder to restart each time there's a modification to the deployment app, e.g. a change to inputs.conf 

Yes, when we change inputs.conf and deploy the app to UF, the UF should restart, for the inputs.conf changes to take effect. So we need to select the tick box "Restart Splunkd" tick box. 

 

more details on the documentation page:

https://docs.splunk.com/Documentation/Splunk/9.0.2/Updating/Useforwardermanagementtomanageapps

 

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...