Re: Which apps need the restartSplunkd to be true?

spl_aficionado · ‎02-25-2026

We recently realized that the restartSplunkd attribute is more effective when defined at the individual app level rather than the server class level. We are currently refactoring our serverclass.conf to assign this attribute to every app, but we want to be more surgical with our approach.

Could anyone clarify the logic behind which specific types of apps require a Splunk restart to take effect?
Specifically, we are looking for guidance on these scenarios:

Apps deployed to Universal Forwarders (UFs).
Heavy Forwarders (HFs).
Input apps (inputs.conf).
Parsing apps (props.conf and transforms.conf) deployed to Indexers
and more.

PickleRick · ‎02-26-2026

As a rule of thumb, everything that affects ingestion (which means apps deploying inputs and index-time transforms) requires restart. For search-time settings it's usual enough to reload or debug/refresh.

As a side note - since settings affecting ingest pipeline require restart, you might consider splitting parsing from indexers (push data through HFs first so that indexers receive already parsed data). This adds complexity and hardware to your environment but lowers load on the indexers and limits demands to restart indexers.

gcusello · ‎02-25-2026

Hi @spl_aficionado ,

to avoid to not apply changes I usually configure restart for each application!

Even if I know that it shouldn't be the best approach, but I don't want to lose time,

Ciao.

Giuseppe

Which apps need the restartSplunkd to be true?

data

other

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation