Hi at all,
a very quick answer:
I modified transforms.conf in one app without restarting Splunk:
The update I performed was to add three new fields in a FIELDS row after DELIM:
[my_transform]
DELIM = "|"
FIELDS = "field1","field2","newfield1",newfield2","newfield3"
The strange behavior (but maybe I didn't understand it) is that my search sees the new fields without any Splunk restart and if I remove the new fields, my search doesn't see them!
It seems that transforms.conf is reading every time at search time.
Can anyone confirm this and/or explain this behavior?
Bye.
Giuseppe
Hi @cusello,
Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes. So, Settings that apply to search-time processing take effect immediately and do not require a restart.
In addition, index-time props and transforms do not require restarts, as long as your indexers are receiving the data from forwarders.
reference: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart
Hi @cusello,
Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes. So, Settings that apply to search-time processing take effect immediately and do not require a restart.
In addition, index-time props and transforms do not require restarts, as long as your indexers are receiving the data from forwarders.
reference: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart
That is expected behavior. There are plenty of config changes that you can make which do not require splunk to be restarted.
For details, see: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart