Solved: Determine Splunkd restart reason

Derek · ‎07-13-2010

I have a user who did something that is now prompting for a splunk restart.

Is there any way to determine what config change they made?

I've looked through the _internal index but with no luck.

Thanks!

gkanapathy · ‎07-13-2010

The _audit index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc). Look for action=update. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.

View solution in original post

gkanapathy · ‎07-13-2010

The _audit index normally contains fschange events for changes in Splunk config files (actually everything under $SPLUNK_HOME/etc). Look for action=update. The splunkd_access and splunkweb_access logs also show user activity. It is possible that no changes were made and that the notification in the GUI was triggered by going to a page where a change might have been made. It is also possible that a change was made and immediately reversed before the fschange notification could detect it.

Derek · ‎07-14-2010

Thanks! It was most likely going to a page where a change may have happend.

Determine Splunkd restart reason

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor