Deployment Architecture

Splunk forwarder need to restart when new app with inputs.conf added?

ankithreddy777
Contributor

Does Splunk UF need to restart when new app consisting inputs.conf is added?
While setting serverclass.conf should I enable splunkdrestart when new app deployed to Splunk UF

0 Karma

beatus
Communicator

ankithreddy777,
In Splunk 6.4 and greater, the Universal Forwarder is reloadable via the serverclass.conf. By adding the following settings to the serverclass, Splunk will opportunistically reload (and issue a restart if the objects are not reloadable).

serverclass.conf:

restartSplunkd = false
#* If true, restarts splunkd on the client when a member app or a directly  configured app is updated.
#* Can be overridden at the serverClass level and the serverClass:app level.
#* Defaults to false

issueReload = true
#* If true, triggers a reload of internal processors at the client when a member app or a directly configured app is updated 
#* If you don't want to immediately start using an app that is pushed to a client, you should set this to false.
#* defaults to false

restartIfNeeded = true
#* This is only valid on forwarders that are newer than 6.4.
#* If true and issueReload is also true, then when an updated app is delpoyed
#  to the client, that client will try to reload that app. If it fails, it will then restart.
#* defaults to false

Add these to any serverclasses that you'd like to reload.

--- Old answer for Prior to 6.4 ---
Technically the UF doesn't require a restart. The problem is the Deployment Server does not do any reload of any sort. This means the only way to automatically reload the new inputs configuration on the UF is to trigger a restart.

The alternative here is to touch a reload rest endpoint on the UF every time you would like to reload the configuration. This would get quite tedious and requires either being on the system with the UF or having changed the UF's password to access it's rest API.

Long story short - unless you have a reason to prevent restarts on a UF, absolutely set "restartSplunkd" to true in the serverclass.conf.

0 Karma

adonio
Ultra Champion

i think it depends on the kind of input you are adding. monitor, scripted, modular etc.
as a rule of thumb i will say yes, enable restart when you modify inputs.conf or enable restart on your inputs apps.
on a side note, i think splunk always working on eliminating the changes that requires a restart so my response her may not be accurate

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...