- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- "Restart Splunk for your changes to take effect"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the documentation (Getting Data In, v6.2.1):
Restart Splunk for your changes to take effect
Changes to configuration files such as props.conf and transforms.conf won't
take effect until you shut down and restart Splunk on all affected components.
What does it mean "on all affected components"? For example, if I change something on a forwarder, should I restart not just the forwarder, but the forward-server where the data are sent?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The page you grabbed this quote from, is about creating index time fields. Above this quote, there is a section ("Where to put the configuration changes in a distributed environment") that in order to successfully create an index time extracted field, there are changes that need to be done on a Search Head, while others need to be done on the Search Peers (indexers, or heavy forwarders depending on your architecture). For many people (with small environments, or just using the Free license), these Splunk instances are actually one in the same, but as you scale up Splunk, they start to live on separate machines (and clusters of separate machines).
If you make a change to your forwarder, usually you'll only need to restart your forwarder. Sometimes there are cases for something to work as you expect it however you'll need to make changes to multiple Splunk instances and restart all of them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you made a change on a forwarder, then restarting just the forwarder should be enough to update the configuration. The main point of restarting is just to get your edits to be recognized and added to the configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If we restart heavy forwarder, does it lead to data loss? as forwarder will be forwarding data in real-time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The page you grabbed this quote from, is about creating index time fields. Above this quote, there is a section ("Where to put the configuration changes in a distributed environment") that in order to successfully create an index time extracted field, there are changes that need to be done on a Search Head, while others need to be done on the Search Peers (indexers, or heavy forwarders depending on your architecture). For many people (with small environments, or just using the Free license), these Splunk instances are actually one in the same, but as you scale up Splunk, they start to live on separate machines (and clusters of separate machines).
If you make a change to your forwarder, usually you'll only need to restart your forwarder. Sometimes there are cases for something to work as you expect it however you'll need to make changes to multiple Splunk instances and restart all of them.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
