I want to clear all splunk web session without restarting splunk service ? Is there a way to achieve this.
splunkd handles indexing, searching, forwarding, and (as of Splunk Enterprise version 6.2) the Web interface that you log into Splunk Enterprise with.
The process is a distributed C/C++ binary that accesses, processes, and indexes streaming data and handles search requests. It also handles the Splunk Web interface as of Splunk Enterprise version 6.2. You can configure the splunkd service without the Splunk Web component by configuring the instance as a light or heavy forwarder.
If you are running older version prior 6.2 you will be able to restart splunkweb.
1.How to check if I am running in legacy mode ?
Check if Splunk is running
To check if Splunk Enterprise is running, type this command at the shell prompt on the server host:
You should see this output:
splunkd is running (PID: 3162).
splunk helpers are running (PIDs: 3164).
If Splunk Enterprise runs in legacy mode, you will see an additional line in the output:
splunkweb is running (PID: 3216).
if you are running in legacy mode then you can run below command to restart splunkweb.
splunk restart splunkweb -auth username:password
For more details please kindly read the reference document listed at http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/StartSplunk#Start_Splunk_Enterprise_on_Unix_.... If you system is not running on legacy mode you have do restart splunk this restart splunkd ( indexer and splunk web interface).
Hi,
You can achieve this via REST API, have look at document http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTaccess#authentication.2Fhttpauth-token..., so first you need to GET all the httpauth-tokens except splunk-system-user account and then use another REST API DELETE request to delete all httpauth-tokens, this will kick out all users session. I'll strongly recommend to perform this in Test Environment first before going to production.
Above steps only remove existing httpauth-tokens, if you will be going to change Splunk Web related configuration then you need to restart splunk.