Getting Data In

Why is indexes.conf change not reflected in GUI without restart?

jankowsr
Path Finder

I use Splunk Enterprise 8.0.4.1

In indexes.conf I have changed maxTotalDataSizeMB value.

According to https://docs.splunk.com/Documentation/Splunk/8.0.4/Indexer/Determinerestart that kind of change should not require splunk restart. Anyway I can't see the change in GUI https://my_splunk/en-US/manager/launcher/data/indexes without doing splunk restart. Any clue why is it like that?

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

at least in some cases when you are using some REST queries those didn't work correctly before restarts (some volume/index sizes if I recall right). This is probably some kind of bug?

One thing what you can try is using http(s)://<your splunk>(<:port>)/debug/refresh. Try to reload and check if it helps. If not then you probably needs a restart.

r. Ismo

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

I assume you're using an all-in-one installation.

In a bigger setup you'd normally not even be able to see the indexes defined on your indexers by clicking on the search-heads (the search-heads can have their own indexes if they're not configured according to good-practices to send the events to indexers).

So I'd assume it's not as much a "bug" as a "misfeature". It's simply that the change to the indexes.conf is being picked up by the indexing part of the splunk daemon but since it's not being done from UI, the "search head" part of the daemon is not aware of this. It happens with other parts of the config too - if they're done in UI, the UI takes care of refreshing the config and keeping things consistent. If they're done manually by fiddling with the conf files, the UI might not catch-up immediately on the changes.

isoutamo
SplunkTrust
SplunkTrust

Hi

at least in some cases when you are using some REST queries those didn't work correctly before restarts (some volume/index sizes if I recall right). This is probably some kind of bug?

One thing what you can try is using http(s)://<your splunk>(<:port>)/debug/refresh. Try to reload and check if it helps. If not then you probably needs a restart.

r. Ismo

jankowsr
Path Finder

Thank you, the link you provided did the job.

It's still not clear to me if this is needed because of any kind of bug but at least restart is not needed.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...