As per the below screen shot can you please tell me which log file captures this error message : "splunk must be restarted for changes to take effect "
Or if in frontend this message is getting saved somewhere let me know .
You can find all of splunks internal logs with index = _internal. When you search for restart, you should find your message among the results.
index = _internal
View solution in original post
But this is a persistent error even if i restart the idexer the error gets poped up after some time even though i dont modify anything.
So can you please give me the query to get these errors in the search box
That's a different question 🙂 You may be able to find something with the Splunk on Splunk app, see here.