Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

reload deploy-server causing splunk restart

keerthana_k
Communicator
‎10-26-2017 04:20 AM

Hi,

We have a distributed Splunk system installed and use deployment server to manage configurations. We have a python script which updates a few lookup CSV files and binary database files periodically. In the script, we run the reload deploy-server command to distribute the changed files across all the systems. Though the change is only lookup files, it is causing restart of splunk service at all the nodes. Is there anyway we can prevent the this restart? We have saved summary searches running and it is causing missing buckets of data.

Thanks in advance,
Keerthana

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2017 04:35 AM

Hi keerthana_k,
probably in your ServerClass you set for at least one of the Apps containing these lookups to restart Splunk, so when you launch "reload deploy-server" remote Splunks are restarted!
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎10-26-2017 04:39 AM

As per your post, it seems you are using "Deployment-server" to manage Search Head Cluster? if this is the case it is wrong. You should use "deployer" for the same.

Lookups normally don't tend to restart Splunk endpoints until you have forced the serverclass element of the server for restartSplunkd=true. If you want, you can make it restartSplunkd=false forcibly and have a go

0 Karma
Reply
Solved! Jump to solution

keerthana_k
Communicator
‎10-26-2017 04:54 AM

I am not using a search head cluster. I just have two search heads which serve two different purposes. If I set restartSplunkd to false, then what will happen if I make any configuration change which might require splunk restart?

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎10-26-2017 07:39 AM

you can put restartSplunkd to "false" for each app you push. So you can make it granular and package all your lookup into an app which you can say "false" for

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2017 04:35 AM

Hi keerthana_k,
probably in your ServerClass you set for at least one of the Apps containing these lookups to restart Splunk, so when you launch "reload deploy-server" remote Splunks are restarted!
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

keerthana_k
Communicator
‎10-26-2017 04:53 AM

We are setting restartSplunkd to true. So if I remove the configuration, then what will happen when I make other configuration changes that may require splunk restart?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2017 05:02 AM

Hi keerthana_k,
yes there's a problem!
I suggest to change the approach for lookups, two choices:

  • use your script to change them directly on all Search Heads instead on Deployment Server,
  • if possible, put all lookups in a different App, sharing them at Global level and deploying them without Splunk restart.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...