Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I debug/refresh Splunk Cloud env. or manage Splunk Cloud change via ACS without a Splunkd restart?

pstein
Engager
‎04-13-2023 08:11 AM

Two part question:

1) If I complete an individually owned App upgrade to our Victoria environment through the use of "Install App From File" which changes a props.conf setting, can I run a "debug/refresh" to reload the Splunk Cloud configs? 

 

2) Or, if I manage the App change through ACS CLI to edit_local_apps

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Config/RBAC

Upgrade app (Victoria) PATCH apps/victoria/{app} edit_local_apps AND install_apps

 

will my change circumnavigate a restart of the environment, and reload the configs simply by the use of ACS CLI?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

pstein
Engager
‎04-13-2023 11:08 AM

Thanks, Mattymo. Knowing debug/reload helps.

As I dug into your link and followed the link string to investigate further about REST API call, in this case using CURL, I found this tidbit:
"As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API."
Appears like my hands are tied when trying to find a non-restart solution similar to "debug/reload" like we enjoy onPrem.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎04-13-2023 12:02 PM

I wouldn't give up yet...we have a lot of behind the scenes logic that takes care of distributing your configs in cloud and reducing the need for restarts, and the _reload option is available in cloud...are you certain you need a refresh? Generally props, i dont believe should require them anymore...

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Admin/RollingRestart#Reload_or_restart_be...


https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Configurationfilechangesthatrequirerestart#...

are you hitting some sort of issue or error?

I can always test your app in my stack if you want...

- MattyMo
0 Karma
Reply

pstein
Engager
‎04-13-2023 12:24 PM

No. At this point I'm not hitting a hurdle or error, but trying to do upfront work in determining whether there's a method of reloading without causing a restart after installing an App "from a file". We don't want an unexpected request for restart in order to complete the installation, and impact our customers uptime. But if challenged with a request to restart could turn to a 'reload' option.

In my immediate scenario, in our Victoria environment, I recently upgraded a self built app from v1.0.0 to version 1.0.1 during a maintenance window to fix an issue . The change was mostly correct, but now I need to tweak my App to pickup the correct timestamp, and my next available maintenance window is next Monday night. All I'm modifying is "MAX_TIMESTAMP_LOOKAHEAD" in props.conf  from 50 to 100.
I've been instructed to find a possible method to run a reload after the upgrade instead of a possible restart. 

If there isn't a way to 'reload' vs. 'restart' in the Cloud, that's ok. I just need to know so we can stay within our Maintenance Window.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎04-13-2023 12:41 PM

I think it will just use reload. will try and replicate in my stack when i get the chance and let you know. Docs say it should just be a reload automagically for props/tranforms changes. 

- MattyMo
0 Karma
Reply

pstein
Engager
‎04-14-2023 06:51 AM

Thought I would just check in to see if you had any luck attempting in your stack. Unfortunately, I don't have a lab Cloud stack to attempt this myself. I appreciate your help.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎04-14-2023 08:10 AM

Not yet, sorry, will have to try next week. 

- MattyMo
0 Karma
Reply

pstein
Engager
‎04-17-2023 01:37 PM

Found this very accurate list of reload/restart config changes, and when each will be enacted.

 

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Admin/RollingRestart?_ga=2.153172536.1431...

 

I think this answers my own question and aligns with what you previously mentioned.

Thank you for your help, @mattymo

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎04-17-2023 01:43 PM

Yeah, I linked that in my original answer. Let us know when you try and how it goes!

- MattyMo
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎04-13-2023 08:21 AM

I don't believe you can run /debug/refresh in cloud, at least not how I tried it 

https://stackname .splunkcloud.com/en-US/debug/refresh

mattymo_1-1681399022135.png

That being said restarts aren't needed for much anymore these days. Are you certain you need to or is it habit?

can you achieve what you need with the _reload endpoint instead?

https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTUM/RESTusing#Reload_endpoint

 

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...