Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Will | extract reload=true command refresh everything in props.conf?

watsm10
Communicator
‎04-19-2013 07:23 AM

Hi,

I've got four indexers and two search heads in a distributed environment. I've got a new sourcetype coming into my indexers from a forwarder which hasn't been configured yet.

When I define it in props.conf:

[mysourcetype]
TIME_PREFIX=starttime
blah blah blah

am I able to use | extract reload=true instead of a full splunkd restart? Will it have the same effect? I'm always hesitant to do a full restart of indexers as it is a critical component of our monitoring.

Thanks,

Matt

Reply

kristian_kolb
Ultra Champion
‎04-19-2013 08:47 AM

No, certain props.conf settings will require a restart of Splunk. That's settings that have impact on indexing, such as TIME_FORMAT, LINE_BREAKER, TRANSFORMS etc

Purely search-time stuff like FIELDALIAS and EXTRACT does not require restarts.

/K

Reply

watsm10
Communicator
‎04-23-2013 01:34 AM

Thanks guys! The debug/refresh has worked. No longer will I have to restart 😄 I love Splunk Base!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 12:18 PM

Good points. I believe I've strayed too far from the GUI, but not far enough... 🙂

Reply

sideview
SplunkTrust
SplunkTrust
‎04-19-2013 06:08 PM

If it can, then it will be refreshed if you hit http://SPLUNKHOST:8000/debug/refresh

Any manager entity that can be refreshed from disk without a restart registers itself such that basically it gets refreshed when that page is hit. Conversely, if hitting that page does not refresh some config, then it's a safe bet that it really does require a restart.

If you have Sideview Utils on the system note that there is a little form at /app/sideview_utils/refresh_entities that you can use to refresh one particular entity at a time.

Reply

watsm10
Communicator
‎04-19-2013 08:53 AM

There must be a way.. we can add to props.conf for index-time stuff through the GUI when adding new inputs. Is there a way we can replicate this? Maybe a custom view?

Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...