Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to have forwarders restart after a random time interval after getting new apps from a deployment server?

templets
Path Finder
‎04-05-2019 05:37 PM

I'm encountering an issue where, after changing or creating a new script-based app that runs periodically (e.g. once per hour), the forwarders check-in, deploy the app, then all, perhaps 1000's, restart and execute the script at effectively the same time. Among other issues, this causes an unwanted spike in traffic.

To fix this, either the forwarders need to check in after longer, hopefully random times, or the forwarders need to not all restart at the same time. I'd like to not have to add a random wait at the start of each script if I can help it.

Is there a way to have the forwarders restart after a random delay generated by each forwarder?

I think this should be a feature of the Splunk forwarders.

Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎04-07-2019 07:55 AM

Assuming *NIX and a random interval from 1 to 100 seconds:

Do NOT use restartSplunkd in your serverclass.conf Run this command once:

/bin/cksum /opt/splunk/etc/apps | /bin/sed "s/ .*$//" > /tmp/splunkcksum.txt; echo /tmp/splunkcksum.txt

Then add this cron job

*/5 * * * * if [ $(/bin/cksum /opt/splunk/etc/apps | /bin/sed "s/ .*$//") -ne $(cat /tmp/splunkcksum.txt) ]; then  /bin/sleep $(((RANDOM%100 )+1)); /opt/splunk/bin/splunk restart; /bin/cksum /opt/splunk/etc/apps | /bin/sed "s/ .*$//" > /tmp/splunkcksum.txt; fi

Obviously, this will need to be adjusted to fit.

Reply

ddrillic
Ultra Champion
‎04-07-2019 02:48 PM

@woodcock - why shouldn't we use restartSplunkd in the serverclass.conf?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-07-2019 02:55 PM

You should in the normal situation, but in this situation, using this cron job to do the restarts so that they are more staggered, you should not (that is the whole point of the question).

Reply

ddrillic
Ultra Champion
‎04-07-2019 02:59 PM

Got it ; -) thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...