Is there a way where I do not have to restart splunk to enable a new indexing?
How to reload transforms.conf without restart...
Thanks
Hi,
A small doubt...
Should i add something before ...| extract reload=T in the search bar ?? as "| extract reload=T" alone didn't work for me.
I tried all the three links
Still, the sourcetypes are not listed in.
Thanks in advance,
Kannan
Hi Matt,
Tried that link already.. It didn't work..
Is there anything that could stop refreshing the conf files ??
Thanks,
Kannan
Hi,
If an extract reload isn't working for you, try doing a debug refresh (see 3rd answer for reference).
Cheers,
Matt.
Thanks for your answers.
Actually if I refer to the indexing configuration, it could change in real time without restarting splunk?
I did not get to
http://yoursplunkserver:8000/en-GB/debug/refresh
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract
Thank you very much Drainy.
Please, think they may be able to support me with a question I opened a while ago, so far I could not finish, look at is as follows:
http://answers.splunk.com/answers/101788/indexing-queues-greater-than-100-lines
Hopefully possible.
thanks
Yeah, as my answer above. You do need a restart for index time changes to take effect, I believe the different processors have to be restarted for the changes to take effect.
Uhm ... run all these url, obviously with my host parameters, but does not send the nullQueue the changes I've made. I have to restart necessarily.
en-GB is just another locale just like en-US, so it doesn't need to be changed.
You need to replace "yoursplunkserver" with your server address. If you are using a local version of splunk, replace "yoursplunkserver" with "localhost".
You probably want to change en-GB to en-US, and this does take some time to run.
Did you get an error? If so, what was it?
Hi Jrodriguez.
You can reload any number of config files at index time using the debug refresh endpoint in Splunk. I use this all the time when I make changes to props.conf.
You can view all of the endpoints by typing the following into your browser:
http://yoursplunkserver:8000/en-GB/debug/refresh
and to explicitly reload the transforms.conf file, use the following:
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
for new lookup file definitions that reside within transforms.conf
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract for new field transforms/extractions that reside within transforms.conf
Hope this helps!
Just to add this, you can refresh the entitities without explicitly hitting the endpoint, you can do so by CLI from the below command:
curl -u admin: -X POST http://:8089/servicesNS/-/-/admin/transforms-reload/_reload
above is an example of reloading the transforms entity, but in a similar way, you can do reload for other entities as well.
Just to expand on RTurks answer, in newer versions you don't need to run this.
Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes.
Any index time changes still require a restart.
extract refers to search-time field extractions.
Is 'transforms-extract' an index time change or a search time change? I don't know myself, and there are two conflicting answers here.
Hi Jrodriguez,
To reload the search-time functions of props.conf
and transforms.conf
issue the following command in the search query bar:
| extract reload=T
Hope this helps 🙂
RT