Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

Download topic as PDF

Manage a rolling restart in Splunk Cloud

Some configuration updates can cause the indexers in your Splunk Cloud deployment to begin a process called a rolling restart. To minimize the impact of a rolling restart, deploy these updates during off-peak hours.

What users experience during a rolling restart

A rolling restart means that indexers restart in sequence.

Depending on the details of your data inputs, indexing probably continues. Using forwarders or other types of load balancers, rather than network inputs alone, increases the robustness of your indexing during a rolling restart.

Searches still run during a rolling restart, but they might return incomplete results. Users running searches in Splunk Web receive a message warning of incomplete search results.

What triggers a rolling restart

Deploying certain configuration changes triggers a rolling restart. Examples of changes that trigger a rolling restart include, but are not limited to, the following tasks:

Adding an index, for example, does not trigger a restart by itself. But if you or another admin has made other configuration changes and not deployed them, then when you deploy your change that adds an index, you also deploy the previous changes. In this way, deploying a seemingly safe change can indirectly trigger a rolling restart.

Rolling restart behavior for common apps and .conf files

App or .conf file Name Used for Reload or restart
Conf indexes.conf This file is used to configure indexes and their properties.

For a listing of specific changes to this file that require a restart, see Determine which indexes.conf changes require a restart in the Splunk Enterprise documentation.

Conf inputs.conf This file is used for HEC CRUD operations, configuring tcp ports for forwarders, configuring scripted inputs for apps, configuring file system monitoring reload
Conf restmap.conf This file is used to create custom REST endpoints. reload
Conf authorize.conf This file is used to configure roles and granular access controls. reload
Conf web.conf This file is used to configure tcp port to listen to incoming connections, appserverports, connectiontimeout. restart
Conf authentication.conf This file is used to configure auth settings (LDAP, SAML setting) and role mapping. reload
Conf distsearch.conf This file is used to configure attributes and values you can use to configure distributed search. reload
Conf limits.conf This file is used to configure limitations for search commands, such as max_mem_usage_mb,min_batch_size_bytes etc. reload
Conf metric_rollups.conf This file is used to configure metrics default aggregate functions, metric filtering, and multiple aggregations for metric rules. restart
Conf metric_alerts.conf This file is used to configure metric alerts based on multiple conditions. reload
Conf messages.conf This file is used to configure externalized message strings. reload
Conf server.conf This file is used to configure which settings should be replicated within a search head cluster. reload/restart
Conf outputs.conf This file is used to configure forwarders to forward data to receiving indexers. reload
Conf collections.conf This file is used to configure KV store settings for a given app. restart
App Python for Scientific Computing (for Linux 64-bit) This add-on contains a Python interpreter bundled with the following scientific and machine learning libraries: numpy, scipy, pandas, scikit-learn, and statsmodels. With this add-on, you can import these powerful libraries in your own custom search commands, custom rest endpoints, modular inputs, and so forth. reload
App Lookup File Editor This app provides an Excel-like interface for editing, importing, and exporting lookup files (both KV store and CSV based lookups) reload
App Splunk Add-on for Unix and Linux The Splunk Add-on for Unix and Linux allows a Splunk software administrator to collect *nix data from *nix hosts. restart
App Splunk Add-on for Cisco ASA The Splunk Add-on for Cisco ASA allows a Splunk software administrator to map Cisco ASA devices, Cisco PIX, and Cisco FWSM events to the Splunk CIM. reload
App Splunk Dashboard Examples The Splunk Dashboard app delivers examples that give you a hands-on way to learn the basic concepts and tools needed to rapidly create rich dashboards using Simple XML. reload
App Force Directed App For Splunk The Force Directed App For Splunk helps you graph out attack paths and review links in your data. Built on D3 this app will allow you to search any form of data that has a source and target. reload
App Palo Alto Networks Add-on for Splunk This add-on collects and correlates data from Firewalls, Panorama, Traps Endpoints, Aperture SaaS Security, AutoFocus, MineMeld, and WildFire. restart

Guidance for managing a rolling restart

To minimize impact to users, deploy configuration changes during times that are off peak for both indexing and searching. You can identify off-peak times from the Snapshots in your Splunk Cloud Monitoring Console. See Monitor Splunk Cloud deployment health.

During a rolling restart, monitor indexing and search performance with the Splunk Cloud Monitoring Console.

More information

For more information about how a rolling restart works, see Perform a rolling restart of an indexer cluster in the Splunk Enterprise documentation. Note that some of the advanced options are not available by default in Splunk Cloud.

Last modified on 24 March, 2020
Manage private apps in your Splunk Cloud deployment
Workload Management

This documentation applies to the following versions of Splunk Cloud: 8.0.2001, 8.0.2003, 8.0.2004

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters