Unable to remotely restart universal forwarder

adamblock1 · ‎06-18-2015

I am attempting to restart a universal forwarder which is running on a Windows server. I enter the following: hxxps://server:8089/services/server/control/restart, replacing "server" with the hostname/ip of the server. I am then prompted to enter the admin user/password.

After the credentials are accepted, instead of the forwarder restarting, I receive the following:

<response>
<messages>
<msg type="ERROR">
In handler 'server-control': Invalid request, restart requires POST (handler: server-control, action:restart, eai action: list).
</msg>
</messages>
</response>

Assistance with this would be greatly appreciated.

Thank you.

ddrillic · ‎09-26-2016

The following can help a bit at Restart a UF via CLI / other remote means

dominiquevocat · ‎09-26-2016

You might be able to make use of this app: https://splunkbase.splunk.com/app/2775/

MuS · ‎06-18-2015

Hi adamblock1,

Well the message is pretty clear, it says restart requires POST and like in the docs http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTREF/RESTsystem#server.2Fcontrol.2Frestart use the provided example and run

curl -k -u admin:changeme https://localhost:8089/services/server/control/restart -X POST

and it will work. But, I don't know if this is going to work on an UF as well, since the supported remote commands http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/AccessandusetheCLIonaremoteserver do not include

Start, stop, restart
Status, version

Maybe you can provide an update if it's working 😉

Hope that helps ...

cheers, MuS

splunkreal · ‎10-28-2020

yes it still works, I think the UF downloads the conf and restarts by itself 🙂

* If this helps, please upvote or accept solution 🙂 *

Unable to remotely restart universal forwarder

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms