Getting Data In

Reload transforms.conf without restarting splunk

jrodriguezap
Contributor

Is there a way where I do not have to restart splunk to enable a new indexing?
How to reload transforms.conf without restart...

Thanks

kamunusa
Engager

Hi,

A small doubt...

Should i add something before ...| extract reload=T in the search bar ?? as "| extract reload=T" alone didn't work for me.

I tried all the three links

Still, the sourcetypes are not listed in.

Thanks in advance,
Kannan

0 Karma

kamunusa
Engager

Hi Matt,

Tried that link already.. It didn't work..

Is there anything that could stop refreshing the conf files ??

Thanks,
Kannan

0 Karma

watsm10
Communicator

Hi,

If an extract reload isn't working for you, try doing a debug refresh (see 3rd answer for reference).

Cheers,
Matt.

0 Karma

jrodriguezap
Contributor

Thanks for your answers.
Actually if I refer to the indexing configuration, it could change in real time without restarting splunk?
I did not get to
http://yoursplunkserver:8000/en-GB/debug/refresh
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract

0 Karma

jrodriguezap
Contributor

Thank you very much Drainy.
Please, think they may be able to support me with a question I opened a while ago, so far I could not finish, look at is as follows:
http://answers.splunk.com/answers/101788/indexing-queues-greater-than-100-lines

Hopefully possible.
thanks

0 Karma

Drainy
Champion

Yeah, as my answer above. You do need a restart for index time changes to take effect, I believe the different processors have to be restarted for the changes to take effect.

0 Karma

jrodriguezap
Contributor

Uhm ... run all these url, obviously with my host parameters, but does not send the nullQueue the changes I've made​​. I have to restart necessarily.

0 Karma

Ayn
Legend

en-GB is just another locale just like en-US, so it doesn't need to be changed.

watsm10
Communicator

You need to replace "yoursplunkserver" with your server address. If you are using a local version of splunk, replace "yoursplunkserver" with "localhost".

So, http://localhost:8000/en-GB/debug/refresh

0 Karma

lukejadamec
Super Champion

You probably want to change en-GB to en-US, and this does take some time to run.
Did you get an error? If so, what was it?

0 Karma

watsm10
Communicator

Hi Jrodriguez.

You can reload any number of config files at index time using the debug refresh endpoint in Splunk. I use this all the time when I make changes to props.conf.
You can view all of the endpoints by typing the following into your browser:

http://yoursplunkserver:8000/en-GB/debug/refresh

and to explicitly reload the transforms.conf file, use the following:

http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
for new lookup file definitions that reside within transforms.conf

http://yoursplunkserver:8000/en-GB/debug/refresh?entity=admin/transforms-extract for new field transforms/extractions that reside within transforms.conf

Hope this helps!

vsingla1
Communicator

Just to add this, you can refresh the entitities without explicitly hitting the endpoint, you can do so by CLI from the below command:
curl -u admin: -X POST http://:8089/servicesNS/-/-/admin/transforms-reload/_reload

above is an example of reloading the transforms entity, but in a similar way, you can do reload for other entities as well.

0 Karma

Drainy
Champion

Just to expand on RTurks answer, in newer versions you don't need to run this.

Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes.
Any index time changes still require a restart.

Ayn
Legend

extract refers to search-time field extractions.

0 Karma

lukejadamec
Super Champion

Is 'transforms-extract' an index time change or a search time change? I don't know myself, and there are two conflicting answers here.

0 Karma

rturk
Builder

Hi Jrodriguez,

To reload the search-time functions of props.conf and transforms.conf issue the following command in the search query bar:

| extract reload=T

Hope this helps 🙂

RT

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...