Manage a rolling restart in Splunk Cloud
Some configuration updates can cause the indexers in your Splunk Cloud deployment to begin a process called a rolling restart. To minimize the impact of a rolling restart, deploy these updates during off-peak hours.
What users experience during a rolling restart
A rolling restart means that indexers restart in sequence.
Depending on the details of your data inputs, indexing probably continues. Using forwarders or other types of load balancers, rather than network inputs alone, increases the robustness of your indexing during a rolling restart.
Searches still run during a rolling restart, but they might return incomplete results. Users running searches in Splunk Web receive a message warning of incomplete search results.
What triggers a rolling restart
Deploying certain configuration changes triggers a rolling restart. Examples of changes that trigger a rolling restart include, but are not limited to, the following tasks:
- Source type management
- Deleting an index
- Deleting the last HEC token (which deletes the app, causing a rolling restart)
- Installing some apps and add-ons ( See Rolling restart behavior for common apps and .conf files).
Adding an index, for example, does not trigger a restart by itself. But if you or another admin has made other configuration changes and not deployed them, then when you deploy your change that adds an index, you also deploy the previous changes. In this way, deploying a seemingly safe change can indirectly trigger a rolling restart.
Rolling restart behavior for common apps and .conf files
|App or .conf file||Name||Used for||Reload or restart|
|Conf||indexes.conf||This file is used to configure indexes and their properties.
|Conf||inputs.conf||This file is used for HEC CRUD operations, configuring tcp ports for forwarders, configuring scripted inputs for apps, configuring file system monitoring||reload|
|Conf||restmap.conf||This file is used to create custom REST endpoints.||reload|
|Conf||authorize.conf||This file is used to configure roles and granular access controls.||reload|
|Conf||web.conf||This file is used to configure tcp port to listen to incoming connections, appserverports, connectiontimeout.||restart|
|Conf||authentication.conf||This file is used to configure auth settings (LDAP, SAML setting) and role mapping.||reload|
|Conf||distsearch.conf||This file is used to configure attributes and values you can use to configure distributed search.||reload|
|Conf||limits.conf||This file is used to configure limitations for search commands, such as max_mem_usage_mb,min_batch_size_bytes etc.||reload|
|Conf||metric_rollups.conf||This file is used to configure metrics default aggregate functions, metric filtering, and multiple aggregations for metric rules.||restart|
|Conf||metric_alerts.conf||This file is used to configure metric alerts based on multiple conditions.||reload|
|Conf||messages.conf||This file is used to configure externalized message strings.||reload|
|Conf||server.conf||This file is used to configure which settings should be replicated within a search head cluster.||reload/restart|
|Conf||outputs.conf||This file is used to configure forwarders to forward data to receiving indexers.||reload|
|Conf||collections.conf||This file is used to configure KV store settings for a given app.||restart|
|App||Python for Scientific Computing (for Linux 64-bit)||This add-on contains a Python interpreter bundled with the following scientific and machine learning libraries: numpy, scipy, pandas, scikit-learn, and statsmodels. With this add-on, you can import these powerful libraries in your own custom search commands, custom rest endpoints, modular inputs, and so forth.||reload|
|App||Lookup File Editor||This app provides an Excel-like interface for editing, importing, and exporting lookup files (both KV store and CSV based lookups)||reload|
|App||Splunk Add-on for Unix and Linux||The Splunk Add-on for Unix and Linux allows a Splunk software administrator to collect *nix data from *nix hosts.||restart|
|App||Splunk Add-on for Cisco ASA||The Splunk Add-on for Cisco ASA allows a Splunk software administrator to map Cisco ASA devices, Cisco PIX, and Cisco FWSM events to the Splunk CIM.||reload|
|App||Splunk Dashboard Examples||The Splunk Dashboard app delivers examples that give you a hands-on way to learn the basic concepts and tools needed to rapidly create rich dashboards using Simple XML.||reload|
|App||Force Directed App For Splunk||The Force Directed App For Splunk helps you graph out attack paths and review links in your data. Built on D3 this app will allow you to search any form of data that has a source and target.||reload|
|App||Palo Alto Networks Add-on for Splunk||This add-on collects and correlates data from Firewalls, Panorama, Traps Endpoints, Aperture SaaS Security, AutoFocus, MineMeld, and WildFire.||restart|
Guidance for managing a rolling restart
To minimize impact to users, deploy configuration changes during times that are off peak for both indexing and searching. You can identify off-peak times from the Snapshots in your Splunk Cloud Monitoring Console. See Monitor Splunk Cloud deployment health.
During a rolling restart, monitor indexing and search performance with the Splunk Cloud Monitoring Console.
For more information about how a rolling restart works, see Perform a rolling restart of an indexer cluster in the Splunk Enterprise documentation. Note that some of the advanced options are not available by default in Splunk Cloud.
Manage private apps in your Splunk Cloud deployment
This documentation applies to the following versions of Splunk Cloud™: 8.0.2001, 8.0.2003, 8.0.2004