Deployment Architecture

"Restart Splunk for your changes to take effect"

arkadyz1
Builder

From the documentation (Getting Data In, v6.2.1):

Restart Splunk for your changes to take effect

Changes to configuration files such as props.conf and transforms.conf won't
take effect until you shut down and restart Splunk on all affected components.

What does it mean "on all affected components"? For example, if I change something on a forwarder, should I restart not just the forwarder, but the forward-server where the data are sent?

0 Karma
1 Solution

acharlieh
Influencer

The page you grabbed this quote from, is about creating index time fields. Above this quote, there is a section ("Where to put the configuration changes in a distributed environment") that in order to successfully create an index time extracted field, there are changes that need to be done on a Search Head, while others need to be done on the Search Peers (indexers, or heavy forwarders depending on your architecture). For many people (with small environments, or just using the Free license), these Splunk instances are actually one in the same, but as you scale up Splunk, they start to live on separate machines (and clusters of separate machines).

If you make a change to your forwarder, usually you'll only need to restart your forwarder. Sometimes there are cases for something to work as you expect it however you'll need to make changes to multiple Splunk instances and restart all of them.

View solution in original post

jworthington_sp
Splunk Employee
Splunk Employee

If you made a change on a forwarder, then restarting just the forwarder should be enough to update the configuration. The main point of restarting is just to get your edits to be recognized and added to the configuration.

AnilPujar
Path Finder

If we restart heavy forwarder, does it lead to data loss? as forwarder will be forwarding data in real-time.

0 Karma

acharlieh
Influencer

The page you grabbed this quote from, is about creating index time fields. Above this quote, there is a section ("Where to put the configuration changes in a distributed environment") that in order to successfully create an index time extracted field, there are changes that need to be done on a Search Head, while others need to be done on the Search Peers (indexers, or heavy forwarders depending on your architecture). For many people (with small environments, or just using the Free license), these Splunk instances are actually one in the same, but as you scale up Splunk, they start to live on separate machines (and clusters of separate machines).

If you make a change to your forwarder, usually you'll only need to restart your forwarder. Sometimes there are cases for something to work as you expect it however you'll need to make changes to multiple Splunk instances and restart all of them.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...