Splunk Search

Effect the change in Splunk

abhayneilam
Contributor

Hi,

Whenever I make any changes in the splunk configuation file, I need to restart splunk services to effect the changes made.

Do I have any alternative so that the changes will be effected without restarting splunk services ?

Please help !!

Many thanks for your kind support !!

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi abhayneilam,

As a rule of thumb you can go by: usually anything that affects indexing level changes require a splunk restart, while search level changes require a reload. Here's a good guideline on how to determine which is which.

http://www.splunk.com/base/Documentation/latest/admin/Indextimeversussearchtime

So index creation or settings modifications, props.conf time stamp extractions, or transforms.conf indexed field modifications as well as most .conf manual changes will require a restart.

If you make changes with $SPLUNK_HOME/bin/splunk CLI changes or within the UI, it wont require a restart....unless of course you get prompted for a restart

hope this helps ...

cheers, MuS

View solution in original post

Rocket66
Communicator

You can also use the http://[SPLUNKSERVER]:8000/en-us/debug/refresh to reload conf-files 🙂

DavidHourani
Super Champion

It sure is a time saver 🙂

0 Karma

Rocket66
Communicator

Absolutly right, MuS - but in some cases very useful 🙂

0 Karma

MuS
SplunkTrust
SplunkTrust

be aware that this does not refresh all endpoints, only

data/ui/[manager|nav|views]

and admin endpoints:
conf-times
alert_actions
clusterconfig
commandsconf
conf-deploymentclient
conf-inputs
conf-times
conf-wmi
cooked
datamodel-files
datamodelacceleration
datamodeledit
deploymentserver
eventtypes
fields
fifo
fvtags
indexes
localapps
lookup-table-files
macros
manager
monitor
nav
passwords
pools
quickstart
raw
savedsearch
scheduledviews
script
sourcetypes
ssl
syslog
tcpout-default
tcpout-group
tcpout-server
transforms-extract
transforms-lookup
udp
ui-prefs
views
viewstates
workflow-actions

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi abhayneilam,

As a rule of thumb you can go by: usually anything that affects indexing level changes require a splunk restart, while search level changes require a reload. Here's a good guideline on how to determine which is which.

http://www.splunk.com/base/Documentation/latest/admin/Indextimeversussearchtime

So index creation or settings modifications, props.conf time stamp extractions, or transforms.conf indexed field modifications as well as most .conf manual changes will require a restart.

If you make changes with $SPLUNK_HOME/bin/splunk CLI changes or within the UI, it wont require a restart....unless of course you get prompted for a restart

hope this helps ...

cheers, MuS

abhayneilam
Contributor

Thanks a lot for the prompt reply !!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...