Solved: Can I reload savedsearches.conf without restarting...

echalex · ‎10-09-2012

Hi,

Since, I'm runnning into problems with concurrent historical searches approaching the limit, I decided to heed the advice of rescheduling them not to run on top of the hour every hour.

Since there are a lot of those, I prefer to do it in the shell:

cd etc/apps/webintelligence
egrep '^(cron.*|\[.*\])$' default/savedsearches.conf  | \
egrep -B 1 'cron_schedule = 0(\ \*){4}' | \ 
perl -pe 's/0((?:\ \*){4})/3$1\n/g' > local/savedsearches.conf

What this does, is take every stanza with a cron_schedule of 0 * * * * and turn it into 3 * * * *, ie. running it 3 minutes after the hour.

Unfortunately, Splunk doesn't recognise this change. (and I've tried |extract reload=T). If I click on each saved search, it will show the correct schedule, but under the "Searches and reports", it is still scheduled to run at 15:00, rather than 15:03.

So can I reload this configuration without restarting Splunk?

Ayn · ‎10-09-2012

Yes. Hitting the /debug/refresh endpoint should activate these changes.

http(s)://yoursplunkhost:8000/debug/refresh

View solution in original post

dougmartin · ‎06-23-2016

You can access specific reloads like this:
https://spliunk:8080/en-US/debug/refresh?entity=admin/savedsearch

gfrjonp · ‎11-08-2012

Check this out:
http://splunk-base.splunk.com/answers/5838/can-inputsconf-be-reloaded-without-restarting-splunkd?pag...

cd /opt/splunk/bin (or your $SPLUNK_BASE)
./splunk _internal call /services/data/inputs/monitor/_reload -auth

This will prompt you for username & pass of a web admin user.

Ayn · ‎10-09-2012

Yes. Hitting the /debug/refresh endpoint should activate these changes.

http(s)://yoursplunkhost:8000/debug/refresh

View solution in original post

splunk68 · ‎05-17-2013

It worked for me, on Splunk Search Head 5.0.2.

echalex · ‎10-09-2012

Ok, that does explain it.
Thanks for your help!

Ayn · ‎10-09-2012

I imagine this will not have effect on events that have already entered the scheduler.

echalex · ‎10-09-2012

I still can't see the changes. It does seem that the new schedule enters into force after the next scheduled run, in any case.

Should it work for all apps?

Ayn · ‎10-09-2012

Sorry, my bad - the link should point to the regular Splunk web interface, not the splunkd port. Updated my answer with the correct link.

echalex · ‎10-09-2012

Thanks,

It does not seem to work... Does it matter that that I get a 404 error from that url?

Can I reload savedsearches.conf without restarting?

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Learn More or Register Now >

Can I reload savedsearches.conf without restarting?

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too! Learn More or Register Now >

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Learn More or Register Now >