I'm about to implement the change in Why isn't the timestamp being recognized ?
It will be in $SPLUNK_HOME/etc/system/local/props.conf
.
Does it require an indexer rolling restart?
Depends. Nice answer, huh?
If you put it in $SPLUNK_HOME/etc/system/local/props.conf
, then it will not be controlled by the cluster master, and will require a rolling restart. And you will have to do it on each indexer manually.
If you put it in the right place (which is not $SPLUNK_HOME/etc/system/local/props.conf
), then you can just deploy the changes from the CM by putting it in the master-apps directory structure for the sourcetype you want. Then the rolling restart is not required, because it will be handled by the CM.
Is there a compelling reason you want to put it in system/local
?
Depends. Nice answer, huh?
If you put it in $SPLUNK_HOME/etc/system/local/props.conf
, then it will not be controlled by the cluster master, and will require a rolling restart. And you will have to do it on each indexer manually.
If you put it in the right place (which is not $SPLUNK_HOME/etc/system/local/props.conf
), then you can just deploy the changes from the CM by putting it in the master-apps directory structure for the sourcetype you want. Then the rolling restart is not required, because it will be handled by the CM.
Is there a compelling reason you want to put it in system/local
?
It's interesting, for the search heads we have specific apps but not for the indexers...
Much appreciated @cpetterborg