Prior to upgrading to 6.3.0 from 6.1 I would like to know if disabling and enabling of APPs require a restart of the splunkd process in 6.3.0?
In version 6.3.0 the splunkweb process does not exist unless SPLUNK is run in legacy mode, and I would like to avoid running in legacy mode, hence it is not possible to only restart splunkweb.
Reason for asking is that I want to disable an APP that tends to generate an alert storm after restarting splunkd and then to enable the APP once SPLUNK has ingested the data backlog after restart. A second restart of splunkd would defeat the purpose of disabling the APP in the first place.
I'm not sure officially, but even though splunkweb is not an official separate process I can still restart it.
splunk@crn-splsh-01:~$ splunk version Splunk 6.3.0 (build aa7d4b1ccb80)
splunk@crn-splsh-01:~$ splunk restart splunkweb Your session is invalid. Please login. Splunk username: myuser Password: Splunk's web interface has been restarted.
Obviously, test and check on this and make sure it still does the same things it used to. It has seemed to me to work the same way, though.
While it doesn't seem to discuss this particular change, more info on when to restart is here.
I do not have a test system available at the moment to verify the behaviour, so it makes it difficult for me to test it beforehand.
I am just looking at the current 6.1 behaviour, where I get a warning that I need to restart Splunk in order to enable even a simple test APP.
The fact that the splunk restart splunkweb command seems to work does not mean that it actually does anything.
Here is an extract from the 6.3.0 Admin manual
Note: If either the startwebserver attribute is disabled, or the appServerPorts
attribute is set to anything other than 0 in web.conf, then manually starting
splunkweb does not do anything. The splunkweb process will not start in either