Getting Data In
Highlighted

Reload transforms.conf without restarting splunk

Communicator

Is there a way where I do not have to restart splunk to enable a new indexing?
How to reload transforms.conf without restart...

Thanks

Highlighted

Re: Reload transforms.conf without restarting splunk

Builder

Hi Jrodriguez,

To reload the search-time functions of props.conf and transforms.conf issue the following command in the search query bar:

| extract reload=T

Hope this helps 🙂

RT

Highlighted

Re: Reload transforms.conf without restarting splunk

Champion

Just to expand on RTurks answer, in newer versions you don't need to run this.

Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes.
Any index time changes still require a restart.

Highlighted

Re: Reload transforms.conf without restarting splunk

Super Champion

Is 'transforms-extract' an index time change or a search time change? I don't know myself, and there are two conflicting answers here.

0 Karma
Highlighted

Re: Reload transforms.conf without restarting splunk

Legend

extract refers to search-time field extractions.

0 Karma
Highlighted

Re: Reload transforms.conf without restarting splunk

Contributor

Hi Jrodriguez.

You can reload any number of config files at index time using the debug refresh endpoint in Splunk. I use this all the time when I make changes to props.conf.
You can view all of the endpoints by typing the following into your browser:

http://yoursplunkserver:8000/en-GB/debug/refresh

and to explicitly reload the transforms.conf file, use the following:

http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
for new lookup file definitions that reside within transforms.conf

http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract for new field transforms/extractions that reside within transforms.conf

Hope this helps!

Highlighted

Re: Reload transforms.conf without restarting splunk

Communicator

Just to add this, you can refresh the entitities without explicitly hitting the endpoint, you can do so by CLI from the below command:
curl -u admin: -X POST http://:8089/servicesNS/-/-/admin/transforms-reload/_reload

above is an example of reloading the transforms entity, but in a similar way, you can do reload for other entities as well.

0 Karma
Highlighted

Re: Reload transforms.conf without restarting splunk

Communicator

Thanks for your answers.
Actually if I refer to the indexing configuration, it could change in real time without restarting splunk?
I did not get to
http://yoursplunkserver:8000/en-GB/debug/refresh
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract

0 Karma
Highlighted

Re: Reload transforms.conf without restarting splunk

Super Champion

You probably want to change en-GB to en-US, and this does take some time to run.
Did you get an error? If so, what was it?

0 Karma
Highlighted

Re: Reload transforms.conf without restarting splunk

Contributor

You need to replace "yoursplunkserver" with your server address. If you are using a local version of splunk, replace "yoursplunkserver" with "localhost".

So, http://localhost:8000/en-GB/debug/refresh

0 Karma