Solved: Re: Reload transforms.conf, props.conf and lookups

tkiss · ‎10-18-2014

Hi!

I have the habit to develope TAs and Splunk Apps right on the Splunk server. You know, 2 screens: Splunk search head web frontend on the left and notepad++ on the right screen where I have props.conf and transforms.conf opened as well as some lookup CSVs. As soon as I make a (search-time!) change in props.conf and transforms.conf I would expect Splunk to use it when I try to search on the web frontend. This has worked flawlessly with Splunk v5.x

Unfortunately this stopped or at the very least started to work very strangely with Splunk v6.x.

I've tried almost all the magic refreshes like: /debug/refresh, |extract reload=t, switching back and forth apps, trying a new search. 2 times out of 10 it works but the vast majority of my tries just seems to be "cached". It does reload the .conf files after a while (usually 1-3 minutes) but as you can imagine this painfully slows down the development of TAs.

Does anyone know a reliable way to reload simple, basic, search time field extractions stored in props.conf and transforms.conf WITHOUT restarting Splunk and which works in Splunk 6?

I'm using Splunk 6.1.4 if it matters but seen this behaviour on all Splunk version since v6.0.

Many thanks,
Tamas

jrodman · ‎10-18-2014

This isn't the answer you're looking for, so feel free not to accept. However, the general, deliberate, direction we're going in is having the searches not reload search state on every startup. This is because there's an large performance penalty which grows enormous in large environments to loading the state all the time.

That said, yes there should be a developer-friendly poke-to-reload action. I'll try to ask around when work hours come by again.

View solution in original post

jrodman · ‎10-18-2014

This isn't the answer you're looking for, so feel free not to accept. However, the general, deliberate, direction we're going in is having the searches not reload search state on every startup. This is because there's an large performance penalty which grows enormous in large environments to loading the state all the time.

That said, yes there should be a developer-friendly poke-to-reload action. I'll try to ask around when work hours come by again.

dvb · ‎09-11-2015

I understand that you don't want to reload everything everytime. But why has extract reload=t stopped to work? That's something I would only add to the search when I need the configs to be reloaded!

jizzmaster · ‎03-11-2015

This poke-to-reload functionality is definitely needed. I see the value in not having it reload without prompting, but to take away the prompts altogether is a bit extreme.

martin_mueller · ‎10-18-2014

Depending on what you're actually doing, you might be able to make your changes through the Splunk UI, especially for search-time stuff. That doesn't require any reloading or waiting.

tkiss · ‎10-18-2014

So my assumptions were right, it indeed does not refresh it as it did in v5 🙂
I see your point and thanks for the insights although I'm very sad to hear the new direction. While I understand the goal and welcome it but as you said - for developers it's currently more difficult and time consuming.

Please if you could keep us posted on this thread if there's any current or future option to trigger a "poke-to-reload" functionality.

Happy Splunking!

Tamas

Reload transforms.conf, props.conf and lookups

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk