Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does disabling or enabling apps require a restart of the splunkd process in Splunk 6.3.0?

langhorn
Explorer
‎10-27-2015 03:31 AM

Prior to upgrading to 6.3.0 from 6.1 I would like to know if disabling and enabling of APPs require a restart of the splunkd process in 6.3.0?

In version 6.3.0 the splunkweb process does not exist unless SPLUNK is run in legacy mode, and I would like to avoid running in legacy mode, hence it is not possible to only restart splunkweb.

Reason for asking is that I want to disable an APP that tends to generate an alert storm after restarting splunkd and then to enable the APP once SPLUNK has ingested the data backlog after restart. A second restart of splunkd would defeat the purpose of disabling the APP in the first place.

Thanks.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-27-2015 04:42 AM

I'm not sure officially, but even though splunkweb is not an official separate process I can still restart it.

splunk@crn-splsh-01:~$ splunk version
Splunk 6.3.0 (build aa7d4b1ccb80)

and

splunk@crn-splsh-01:~$ splunk restart splunkweb
Your session is invalid.  Please login.
Splunk username: myuser
Password:
Splunk's web interface has been restarted.

Obviously, test and check on this and make sure it still does the same things it used to. It has seemed to me to work the same way, though.

While it doesn't seem to discuss this particular change, more info on when to restart is here.

0 Karma
Reply

langhorn
Explorer
‎10-27-2015 05:26 AM

Thanks.
I do not have a test system available at the moment to verify the behaviour, so it makes it difficult for me to test it beforehand.
I am just looking at the current 6.1 behaviour, where I get a warning that I need to restart Splunk in order to enable even a simple test APP.

The fact that the splunk restart splunkweb command seems to work does not mean that it actually does anything.
Here is an extract from the 6.3.0 Admin manual

Note: If either the startwebserver attribute is disabled, or the appServerPorts
attribute is set to anything other than 0 in web.conf, then manually starting
splunkweb does not do anything. The splunkweb process will not start in either
case.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...