- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Effect the change in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Whenever I make any changes in the splunk configuation file, I need to restart splunk services to effect the changes made.
Do I have any alternative so that the changes will be effected without restarting splunk services ?
Please help !!
Many thanks for your kind support !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi abhayneilam,
As a rule of thumb you can go by: usually anything that affects indexing level changes require a splunk restart, while search level changes require a reload. Here's a good guideline on how to determine which is which.
http://www.splunk.com/base/Documentation/latest/admin/Indextimeversussearchtime
So index creation or settings modifications, props.conf time stamp extractions, or transforms.conf indexed field modifications as well as most .conf manual changes will require a restart.
If you make changes with $SPLUNK_HOME/bin/splunk CLI changes or within the UI, it wont require a restart....unless of course you get prompted for a restart
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also use the http://[SPLUNKSERVER]:8000/en-us/debug/refresh to reload conf-files 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sure is a time saver 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Absolutly right, MuS - but in some cases very useful 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
be aware that this does not refresh all endpoints, only
data/ui/[manager|nav|views]
and admin endpoints:
conf-times
alert_actions
clusterconfig
commandsconf
conf-deploymentclient
conf-inputs
conf-times
conf-wmi
cooked
datamodel-files
datamodelacceleration
datamodeledit
deploymentserver
eventtypes
fields
fifo
fvtags
indexes
localapps
lookup-table-files
macros
manager
monitor
nav
passwords
pools
quickstart
raw
savedsearch
scheduledviews
script
sourcetypes
ssl
syslog
tcpout-default
tcpout-group
tcpout-server
transforms-extract
transforms-lookup
udp
ui-prefs
views
viewstates
workflow-actions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi abhayneilam,
As a rule of thumb you can go by: usually anything that affects indexing level changes require a splunk restart, while search level changes require a reload. Here's a good guideline on how to determine which is which.
http://www.splunk.com/base/Documentation/latest/admin/Indextimeversussearchtime
So index creation or settings modifications, props.conf time stamp extractions, or transforms.conf indexed field modifications as well as most .conf manual changes will require a restart.
If you make changes with $SPLUNK_HOME/bin/splunk CLI changes or within the UI, it wont require a restart....unless of course you get prompted for a restart
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for the prompt reply !!
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
SignalFlow: What? Why? How?
