Deployment Architecture

splunk restart on all my forwarders

splunksurekha
Path Finder

Some of my logs stops getting indexed until i do a splunk restart on those forwarders.
So can u tell me a way i can do a splunk restart on all the forwarders.

0 Karma
1 Solution

woodcock
Esteemed Legend

If you are using a Deployment Server and it has deployed any app to every forwarder, you can edit the app to enable restartSplunkd and then modify the app on the DS in some trivial way and do $SPLUNK_HOME/bin/splunk reload deploy-server.

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you are using a Deployment Server and it has deployed any app to every forwarder, you can edit the app to enable restartSplunkd and then modify the app on the DS in some trivial way and do $SPLUNK_HOME/bin/splunk reload deploy-server.

0 Karma

splunksurekha
Path Finder

[serverClass:bizx_server-node]

webserver subnet

whitelist.0 = 10.10.20.

application-server subnet

whitelist.1 = 10.10.30.

db-server subnet

whitelist.2 = 10.10.40.

customer facing subnet

whitelist.3 = 10.10.36.
restartSplunkd = true
[serverClass:bizx_server-node:app:sfapp_all_bizx]

I have added restartsplunkd=true in my serverclass.conf for one of the serverclasses.
So It means that when i do a reload deploy-server -class bizx_server-node on my deployment server then all these ip ranges whitelisted above should get restarted . correct ??

But its not happening. I tried . And waited for around 10 hours but still didn't work .
Whereas when i manually logged into that forwarder and did a splunk restart the particular log file came up within a fraction of second.

0 Karma

splunksurekha
Path Finder

Hi,

Thanks but is there any limitation on the number of forwarders ? will it by any chance affect performance.

Thanks

0 Karma

woodcock
Esteemed Legend

Is this hypothetical or do you have an actual system in need of Splunk restarts on forwarders? There is a practical limit on the number of forwarders that should be controlled by a single DS. If you connect to many, you will overwhelm your DS. A very general maximum is 500 clients per DS. You can read more details here:
http://wiki.splunk.com/Deploy:DeploymentServer

0 Karma

splunksurekha
Path Finder

[serverClass:bizx_server-node]

webserver subnet

whitelist.0 = 10.10.20.*

application-server subnet

whitelist.1 = 10.10.30.*

db-server subnet

whitelist.2 = 10.10.40.*

customer facing subnet

whitelist.3 = 10.10.36.*
restartSplunkd = true
[serverClass:bizx_server-node:app:sfapp_all_bizx]

I have added restartsplunkd=true in my serverclass.conf for one of the serverclasses.
So It means that when i do a reload deploy-server -class bizx_server-node on my deployment server then all these ip ranges whitelisted above should get restarted . correct ??

But its not happening. I tried . And waited for around 10 hours but still didn't work .
Whereas when i manually logged into that forwarder and did a splunk restart the particular log file came up within a fraction of second.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...