A small doubt...
Should i add something before ...| extract reload=T in the search bar ?? as "| extract reload=T" alone didn't work for me.
I tried all the three links
Still, the sourcetypes are not listed in.
Thanks in advance,
Thanks for your answers.
Actually if I refer to the indexing configuration, it could change in real time without restarting splunk?
I did not get to
Thank you very much Drainy.
Please, think they may be able to support me with a question I opened a while ago, so far I could not finish, look at is as follows:
You can reload any number of config files at index time using the debug refresh endpoint in Splunk. I use this all the time when I make changes to props.conf.
You can view all of the endpoints by typing the following into your browser:
and to explicitly reload the transforms.conf file, use the following:
for new lookup file definitions that reside within transforms.conf
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract for new field transforms/extractions that reside within transforms.conf
Hope this helps!
Just to add this, you can refresh the entitities without explicitly hitting the endpoint, you can do so by CLI from the below command:
curl -u admin: -X POST http://:8089/servicesNS/-/-/admin/transforms-reload/_reload
above is an example of reloading the transforms entity, but in a similar way, you can do reload for other entities as well.
Just to expand on RTurks answer, in newer versions you don't need to run this.
Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes.
Any index time changes still require a restart.