Is it possible to restart the RTO app without restarting Splunkd? We have the RTO app installed on each of our indexers to spread out the load, but bringing down Splunk for 5 minutes while it restarts just to update the output is impacting our users. I have tried using the REST API (servername:8089/services/apps/local/SplunkRealTimeOutput/_reload) but I receive a message on the indexer stating that "realtimeoutput" and "web" require a restart for the changes to take effect. I have also tried using the "enable" and "disable" REST calls, but the result is the same.
Is it possible to reload these configurations without restarting the entire indexer?
Real-time outputs are in part scripted inputs. Since you are familiar with the REST API, you are ahead of the game. Try POSTing to this endpoint:
https://af-yolo.sv.splunk.com:8089/servicesNS/nobody/SplunkRealTimeOutput/data/inputs/script/your\_r...
To follow up on this:
https://localhost:8089/servicesNS/nobody/SplunkRealTimeOutput/data/inputs/script/_reload appears to be the right command. The "restart" command produces an error:
We are continuing testing to figure out how to get the _reload command to function consistently, but initial results show it working about 75% of the time. There have been several cases where only 3 or 4 out of 6 of our RTO inputs actually reload on a given indexer.
Looks like there are actually two actions, both implemented at the collection layer:
https://localhost:8089/servicesNS/nobody/SplunkRealTimeOutput/data/inputs/script/_reload
https://localhost:8089/servicesNS/nobody/SplunkRealTimeOutput/data/inputs/script/restart
According to the docs, I think you want to POST to the restart endpoint.
I feel like I'm closer now
curl -k -u admin https://localhost:8089/servicesNS/nobody/SplunkRealTimeOutput/data/inputs/script/%252Fopt%252Fsplunk... -d ''
Enter host password for user 'admin':
In handler 'script': Invalid custom action for this internal handler (handler: script, custom action: _reload, eai action: edit).
Not sure what I am missing