I am looking for an official answer on what the proper procedure is to make modifications to props.conf and/or transforms.conf take effect after you modify them on an indexer (6.x). I've tried restarting splunkd as well as running an "|extract reload=true" and I just don't get consistent results. Sometimes the filters take effect and sometimes they don't, and I don't believe it's my syntax in the files as I'm simply adding additional items (such as Windows event codes) to already working filters.
Any answers or even ideas would be greatly appreciated.
Thanks so much for the response, I appreciate it! I'll do some experimentation with btool to ensure I'm not having any precedence issues. Thanks for the tip on /debug/refresh too, I'll use that from now on. The reason I doubt the syntax is an issue is because I'm simply appending to an already existing and working filter, such as changing "REGEX = (?msi)^EventCode=(3|256|258)" to "REGEX = (?msi)^EventCode=(3|256|258|4672)" and yet the 4672s are still flooding in.
If you have made changes to your props.conf and transforms.conf, restarting the indexer absolutely will cause them to take effect.
If you aren't seeing your changes take effect upon restart:
you either have a problem with syntax, (or a typo), or you've run into a precedence problem. use btool
to be sure your changes aren't being overridden by an identical stanza, lower in the hierarchy
extract reload=t
will force Splunk to reload the props.conf
only. However if something is calling a TRANSFORMS stanza it will not refresh transforms.conf
as well, and that would be required.
Another way to reload config files without a restart is to use /debug/refresh
http://yoursplunkserver:8000/debug/refresh
You also need to consider whether you are doing search time (no restart) or index-time (restart required) changes to an existing filter in transforms.conf
If you have specific problems you might want to detail them in a more specific questions so that you can be sure your syntax is correct. Especially if you are routing and filtering using queues as there is a hierarchy there too. A common mistake is to allow the order of the stanzas to change as you edit.
Just to add this, you can refresh the entitities without explicitly hitting the endpoint, you can do so by CLI from the below command:
curl -u admin: -X POST http://:8089/servicesNS/-/-/admin/transforms-reload/_reload
above is an example of reloading the transforms entity, but in a similar way, you can do reload for other entities as well.
a list of all entities is as below:
Refreshing admin/conf-times OK
Refreshing data/ui/manager OK
Refreshing data/ui/nav OK
Refreshing data/ui/views OK
Refreshing admin/alert_actions OK
Refreshing admin/applicense SplunkdConnectionException Splunkd daemon is not responding: ("Error connecting to /servicesNS/nobody/search/admin/applicense/_reload: ('The read operation timed out',)",)
Refreshing admin/clusterconfig OK
Refreshing admin/collections-conf OK
Refreshing admin/commandsconf OK
Refreshing admin/conf-checklist OK
Refreshing admin/conf-deploymentclient OK
Refreshing admin/conf-inputs OK
Refreshing admin/conf-times OK
Refreshing admin/conf-wmi OK
Refreshing admin/cooked OK
Refreshing admin/crl ResourceNotFound Invalid action for this internal handler (handler: crl, supported: list|_reload, wanted: list).
Refreshing admin/datamodel-files OK
Refreshing admin/datamodelacceleration OK
Refreshing admin/datamodeledit OK
Refreshing admin/dataset_consolidation_datamodeleditOK
Refreshing admin/deploymentserver OK
Refreshing admin/distsearch-peer OK
Refreshing admin/eventtypes OK
Refreshing admin/fields OK
Refreshing admin/fifo OK
Refreshing admin/fvtags OK
Refreshing admin/http OK
Refreshing admin/indexer-discovery-configOK
Refreshing admin/indexes OK
Refreshing admin/limits OK
Refreshing admin/livetail OK
Refreshing admin/localapps OK
Refreshing admin/lookup-table-files OK
Refreshing admin/macros OK
Refreshing admin/manager OK
Refreshing admin/messages-conf OK
Refreshing admin/modalerts OK
Refreshing admin/monitor OK
Refreshing admin/nav OK
Refreshing admin/panels OK
Refreshing admin/passwords OK
Refreshing admin/pools OK
Refreshing admin/proxysettings OK
Refreshing admin/quickstart OK
Refreshing admin/raw OK
Refreshing admin/remote_eventlogs OK
Refreshing admin/remote_indexes BadRequest The following required arguments are missing: repositoryLocation.
Refreshing admin/remote_monitor OK
Refreshing admin/remote_perfmon OK
Refreshing admin/remote_raw OK
Refreshing admin/remote_script OK
Refreshing admin/remote_udp OK
Refreshing admin/savedsearch OK
Refreshing admin/scheduledviews OK
Refreshing admin/script OK
Refreshing admin/search-head-bundles OK
Refreshing admin/serverclasses OK
Refreshing admin/shclusterconfig OK
Refreshing admin/sourcetypes OK
Refreshing admin/splunktcptoken OK
Refreshing admin/ssl OK
Refreshing admin/syslog OK
Refreshing admin/tcpout-default OK
Refreshing admin/tcpout-group OK
Refreshing admin/tcpout-server OK
Refreshing admin/telemetry OK
Refreshing admin/transforms-extract OK
Refreshing admin/transforms-lookup OK
Refreshing admin/transforms-reload OK
Refreshing admin/udp OK
Refreshing admin/ui-prefs OK
Refreshing admin/ui-tour OK
Refreshing admin/views OK
Refreshing admin/viewstates OK
Refreshing admin/vix-indexes OK
Refreshing admin/vix-providers OK
Refreshing admin/workflow-actions OK
DONE