Getting Data In

Why is indexes.conf change not reflected in GUI without restart?

jankowsr
Path Finder

I use Splunk Enterprise 8.0.4.1

In indexes.conf I have changed maxTotalDataSizeMB value.

According to https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Determinerestart that kind of change should not require splunk restart. Anyway I can't see the change in GUI https://my_splunk/en-US/manager/launcher/data/indexes without doing splunk restart. Any clue why is it like that?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

at least in some cases when you are using some REST queries those didn't work correctly before restarts (some volume/index sizes if I recall right). This is probably some kind of bug?

One thing what you can try is using http(s)://<your splunk>(<:port>)/debug/refresh. Try to reload and check if it helps. If not then you probably needs a restart.

r. Ismo

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

I assume you're using an all-in-one installation.

In a bigger setup you'd normally not even be able to see the indexes defined on your indexers by clicking on the search-heads (the search-heads can have their own indexes if they're not configured according to good-practices to send the events to indexers).

So I'd assume it's not as much a "bug" as a "misfeature". It's simply that the change to the indexes.conf is being picked up by the indexing part of the splunk daemon but since it's not being done from UI, the "search head" part of the daemon is not aware of this. It happens with other parts of the config too - if they're done in UI, the UI takes care of refreshing the config and keeping things consistent. If they're done manually by fiddling with the conf files, the UI might not catch-up immediately on the changes.

isoutamo
SplunkTrust
SplunkTrust

Hi

at least in some cases when you are using some REST queries those didn't work correctly before restarts (some volume/index sizes if I recall right). This is probably some kind of bug?

One thing what you can try is using http(s)://<your splunk>(<:port>)/debug/refresh. Try to reload and check if it helps. If not then you probably needs a restart.

r. Ismo

jankowsr
Path Finder

Thank you, the link you provided did the job.

It's still not clear to me if this is needed because of any kind of bug but at least restart is not needed.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...