Splunk Enterprise Security

Splunk Component Reboot/Restart Detected

sunitm
New Member

Hi,

Is there a way to notify if any splunk components were restarted. For Example-Deployment servers, Search heads etc.. were restarted and an user needs to be notified. Thanks in advance.

Regards,
Sunith

0 Karma
1 Solution

ivanreis
Builder

If I understood you question properly, do you want to know when the splunk service(splunkd) is restarted? If so this information is under _audit log
run this query : index=_audit action=restart_splunkd

you can create an alert to be notified when this happen.

View solution in original post

0 Karma

sunitm
New Member

Hello Ivan,

Thanks for your prompt reply. Yes this answers my query.

0 Karma

ivanreis
Builder

If I understood you question properly, do you want to know when the splunk service(splunkd) is restarted? If so this information is under _audit log
run this query : index=_audit action=restart_splunkd

you can create an alert to be notified when this happen.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...