I've got four indexers and two search heads in a distributed environment. I've got a new sourcetype coming into my indexers from a forwarder which hasn't been configured yet.
When I define it in props.conf:
blah blah blah
am I able to use
| extract reload=true instead of a full splunkd restart? Will it have the same effect? I'm always hesitant to do a full restart of indexers as it is a critical component of our monitoring.
No, certain props.conf settings will require a restart of Splunk. That's settings that have impact on indexing, such as
TIME_FORMAT, LINE_BREAKER, TRANSFORMS etc
Purely search-time stuff like FIELDALIAS and EXTRACT does not require restarts.
If it can, then it will be refreshed if you hit http://SPLUNKHOST:8000/debug/refresh
Any manager entity that can be refreshed from disk without a restart registers itself such that basically it gets refreshed when that page is hit. Conversely, if hitting that page does not refresh some config, then it's a safe bet that it really does require a restart.
If you have Sideview Utils on the system note that there is a little form at /app/sideview_utils/refresh_entities that you can use to refresh one particular entity at a time.