Sometimes I make changes to my Splunk server's configuration, but I do not want to restart Splunk.
Which configuration changes require a restart, and which do not?
Also, does Splunk support a SIGHUP on linux/unix systems?
In general, settings which affect search take effect immediately, since searches are run in a separate process that reloads configurations. These settings include lookup tables, field extractions, tags and eventtypes.
Settings which affect indexing usually require a restart. These include index time field extractions, timestamp properties and index creation.
Input settings made through the UI and CLI do not require restarts and take place immediately.
Splunk doesn't yet support SIGHUP on unix systems, but that is certainly a commonly desired feature.
In general, settings which affect search take effect immediately, since searches are run in a separate process that reloads configurations. These settings include lookup tables, field extractions, tags and eventtypes.
Settings which affect indexing usually require a restart. These include index time field extractions, timestamp properties and index creation.
Input settings made through the UI and CLI do not require restarts and take place immediately.
Splunk doesn't yet support SIGHUP on unix systems, but that is certainly a commonly desired feature.
Heehee sending splunk a SIGHUP causes it to shut down. So you probably don't want to do this.