Splunk® Enterprise

Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

When to restart Splunk Enterprise after a configuration file change

When you make changes to Splunk Enterprise using the configuration files, you might need to restart Splunk Enterprise for the changes to take effect.

Note: Changes made in Splunk Web are less likely to require restarts. This is because Splunk Web automatically updates the underlying configuration file(s) and notifies the running Splunk Enterprise instance (splunkd) of the changes.

This topic provides guidelines to help you determine whether to restart after a change. Whether a change requires a restart depends on a number of factors, and this topic does not provide a definitive authority. Always check the configuration file or its reference topic to see whether a particular change requires a restart. For a full list of configuration files and an overview of the area each file covers, see List of configuration files in this manual.

When to restart forwarders

If you make a configuration file change to a heavy forwarder, you must restart the forwarder, but you do not need to restart the receiving indexer. If the changes are part of a deployed app already configured to restart after changes, then the forwarder restarts automatically.

When to restart Splunk Web

You must restart Splunk Web to enable or disable SSL for Splunk Web access.

When to restart splunkd

As a general rule, anything that modifies:

  • Settings and properties that affect indexers and indexing behavior
  • Settings and properties that affect users and roles.
  • Settings and properties that affect Splunk's core configuration.

Index changes

Note: When settings which affect indexing are made through the UI and CLI they do not require restarts and take place immediately.

  • Index time field extractions
  • Time stamp properties

User and role changes

Any user and role changes made in configuration files require a restart, including:

  • LDAP configurations (If you make these changes in Splunk Web you can reload the changes without restarting.)
  • Password changes
  • Changes to role capabilities
  • Splunk Enterprise native authentication changes, such as user-to-role mappings.

System changes

Things which affect the system settings or server state require restart.

  • Licensing changes
  • Web server configuration updates
  • Changes to general indexer settings (minimum free disk space, default server name, etc.)
  • Changes to General Settings (eg., port settings)
  • Changing a forwarder's output settings
  • Changing the timezone in the OS of a splunk server (Splunk Enterprise retrieves its local timezone from the underlying OS at startup)
  • Creating a pool of search heads
  • Installing some apps may require a restart. Consult the documentation for each app you are installing.
  • Props and transforms that do not hit the following endpoints:
    • /configs/conf-props/_reload
    • /configs/conf-transforms/_reload
    • /admin/transforms-reload

Splunk Enterprise changes that do not require a restart

Settings which apply to search-time processing take effect immediately and do not require a restart. This is because searches run in a separate process that reloads configurations. For example, lookup tables, tags and event types are re-read for each search.

This includes (but is not limited to) changes to:

  • Lookup tables
  • Field extractions
  • Knowledge objects
  • Tags
  • Event types
  • Props and transforms that hit the following endpoints:
    • /configs/conf-props/_reload
    • /configs/conf-transforms/_reload
    • /admin/transforms-reload

Files that contain search-time operations include (but are not limited to):

  • macros.conf
  • props.conf Changes to search-time field extractions are re-read at search time
  • transforms.conf
  • savedsearches.conf (If a change creates an endpoint you must restart.)


Learn More

PREVIOUS
How to edit a configuration file
  NEXT
List of configuration files

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Comments

Re: savedsearches.conf, can the phrase "if a change creates an endpoint" be elaborated upon? Does that mean if I create a new search?

Sowings splunk
July 31, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters