Prior to upgrading to 6.3.0 from 6.1 I would like to know if disabling and enabling of APPs require a restart of the splunkd process in 6.3.0?
In version 6.3.0 the splunkweb process does not exist unless SPLUNK is run in legacy mode, and I would like to avoid running in legacy mode, hence it is not possible to only restart splunkweb.
Reason for asking is that I want to disable an APP that tends to generate an alert storm after restarting splunkd and then to enable the APP once SPLUNK has ingested the data backlog after restart. A second restart of splunkd would defeat the purpose of disabling the APP in the first place.
I do not have a test system available at the moment to verify the behaviour, so it makes it difficult for me to test it beforehand.
I am just looking at the current 6.1 behaviour, where I get a warning that I need to restart Splunk in order to enable even a simple test APP.
The fact that the splunk restart splunkweb command seems to work does not mean that it actually does anything.
Here is an extract from the 6.3.0 Admin manual
Note: If either the startwebserver attribute is disabled, or the appServerPorts
attribute is set to anything other than 0 in web.conf, then manually starting
splunkweb does not do anything. The splunkweb process will not start in either