Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Audit.log restart_splunkd- What produces these messages, and how can I tell if splunkd restarted?

hartsoftware
Engager
‎10-29-2010 04:28 PM

I'm seeing many action=restart_splunkd messages from my "_audit" index. I can tell from my processor status that splunkd is not restarting, yet I'm receiving these messages in my _audit index. Can someone help me understand what produces these messages? Also, how can I tell when splunkd actually did restart?

Thanks.

Labels (1)
Labels
Tags (2)
Reply

som_shekhar
New Member
‎03-28-2020 07:42 PM

Hi ,I see this noise in Splunk 8.0.1 also.

0 Karma
Reply

andrewtrobec
Motivator
‎12-13-2020 11:26 PM

Splunk 8.0.5 too.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎10-29-2010 05:21 PM

This is some unfortunate noise from the audit handler. In the future, we hope to improve the audit logging. Genti's answer is correct regarding detecting actual shut downs.

Reply

ckurtz
Path Finder
‎08-14-2013 11:37 AM

Occurring in 5.0.4, too. Always nice to see the official answer from Genti! (He was here last week helping us)

0 Karma
Reply

the_wolverine
Champion
‎08-05-2013 11:24 AM

It is still occurring in version 5.0.3.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-29-2010 05:22 PM

Yeap, 2 more bugs submitted regarding the above

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-29-2010 05:13 PM

Actually, if you notice audit.log will have this message logged every minute, and sometimes more then once per minute. (ie. it sends the action twice - or at least logs it twice)
For real splunkd restart check your splunkd.log (located at /spluhome/var/log/splunk/) for messages like:

10-21-2010 14:40:17.044 INFO  loader - Splunkd starting (build 82143).

and

10-21-2010 14:40:13.029 INFO  ShutdownHandler - Shutdown complete in 2125.5 milliseconds
Reply

wandrilleD
Engager
‎03-06-2017 02:27 AM

It looks like it's still occuring in newer versions, we are currently in 6.4 and still the same problem.

My question is, with your solution above, it's not possible to track which user did launch the restart?

0 Karma
Reply

samsplunks
Explorer
‎06-25-2019 06:23 AM

Fast forward to 2019, Splunk 7, the bug is still happening.

One dashboard queries and evals action="restart_splunkd" which causes an Audit:[timestamp=XXX, user=XXX, action=restart_splunkd, info=granted][n/a] log to appear in the _audit index with an audittrail sourcetype (everytime the dashboad is reloaded).

0 Karma
Reply

JosephHobbs
Path Finder
‎10-03-2022 02:19 PM

Almost 2023 in Splunk 9.x and it's still an issue...

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...