How to restart Universal Forwarder from a Deploy S...

kisero · ‎03-02-2018

Hi,

I need restart many servers (Universal Forwarders) Unix from a Deploy Server.
Is there any way to do it?

Thanks!

dominiquevocat · ‎04-29-2020

There is such a feature in https://splunkbase.splunk.com/app/2775/ - one or recursively over a search result. You need to reach port 8089 on the forwarders though and set a password for admin.

nplamondon · ‎05-21-2020

This is likely not an option for most people, as it would probably require firewall rules that no sane fw admin would create.

The existing answers are a much better solution.

dominiquevocat · ‎05-22-2020

Not saying i disagree with you but would you care to explain how pushing arbitrary code for execution from a deployment server to any endpoint being run with potentially local system/root is saner and safer then using the splunk api remotely from the same box?

klemaned · ‎09-26-2018

We use a Splunk_Restart class with a dummy Splunk_Restart app that has "Restart Splunkd" enabled. When we want to restart a host we just add it to the clients list and remove it 5 minutes later.

This is only necessary if you're making changes to an already deployed .conf file. If you're making major changes, you can use ./splunk reload deploy-server -class

rahulkumar02 · ‎06-12-2020

You can also restart by server class using the following command: /etc/splunk/bin- "splunk reload deploy-server -class ServerClassName".

nplamondon · ‎03-01-2019

Excellent solution, and added to my serverclass!

adonio · ‎03-02-2018

if they are talking to deployment server, you can pick an app that is deployed to all forwarders, probably an outputs app, and add the restart flag to it. then reload your apps to the forwarders
steps:
go to "forwarder Mangement" ->apps tab -> choose and app -> edit -> mark :Restart Splunkd" -> go to $SPLUNK_HOME/bin on Deploymet Server -> run: splunk reload deploy-server

hope it helps

shocko · ‎01-23-2024

So basically we can do the following:

Create a dummy app and assign system/UFs we wish to restart
Flag that app to restart with the checkbox
Restart depoyment server
Dummy app gets pushed to UF
UF reads it and restarts/reloads itself?

PickleRick · ‎01-23-2024

Close.

You don't need to restart the DS. Just reload the deployment classes. (if you're doing it via CLI, if I remember correctly, the GUI takes care of that automatically)

nick405060 · ‎01-17-2019

thanks! this seems obvious but is not. fixed my problems not getting any data from my deployment clients even though the apps were pushed out successfully.

However I had to remove all my apps, reload deploy-server, and then add them again and reload in order for the restart to actually take place. I think the restart is only triggered during an initial app installation and not just when you update the app. Not positive about that though.

ddrillic · ‎09-27-2018

Interesting thing @adonio - but we can't do anything (in the app context) if the forwarder is down, right? because I'm struggling with "my" forwarders that are occasionally down...

yannK · ‎06-12-2020

If the splunk service is down on the forwarder, then it cannot reach the deployment server, hence cannot receive the app update and restart request.

You may have to actually start splunk service directly on the client (with a CLI command or any remote admin management tool)

How to restart Universal Forwarder from a Deploy Server?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life