Hi,
I've got four indexers and two search heads in a distributed environment. I've got a new sourcetype coming into my indexers from a forwarder which hasn't been configured yet.
When I define it in props.conf:
[mysourcetype]
TIME_PREFIX=starttime
blah blah blah
am I able to use | extract reload=true
instead of a full splunkd restart? Will it have the same effect? I'm always hesitant to do a full restart of indexers as it is a critical component of our monitoring.
Thanks,
Matt
No, certain props.conf settings will require a restart of Splunk. That's settings that have impact on indexing, such as TIME_FORMAT, LINE_BREAKER, TRANSFORMS etc
Purely search-time stuff like FIELDALIAS and EXTRACT does not require restarts.
/K
Thanks guys! The debug/refresh has worked. No longer will I have to restart 😄 I love Splunk Base!
Good points. I believe I've strayed too far from the GUI, but not far enough... 🙂
If it can, then it will be refreshed if you hit http://SPLUNKHOST:8000/debug/refresh
Any manager entity that can be refreshed from disk without a restart registers itself such that basically it gets refreshed when that page is hit. Conversely, if hitting that page does not refresh some config, then it's a safe bet that it really does require a restart.
If you have Sideview Utils on the system note that there is a little form at /app/sideview_utils/refresh_entities that you can use to refresh one particular entity at a time.
There must be a way.. we can add to props.conf for index-time stuff through the GUI when adding new inputs. Is there a way we can replicate this? Maybe a custom view?