Hi,
We have some centos 7.4 systems with Splunk forwarder 7.0.0 installed.
Changes for data inputs are distributed to the agent's inputs.conf file, but the agent does not automatically use these new settings.
After we manually restart the Splunk service the updated inputs.conf file is read and used.
The agent is running under a dedicated account named Splunk. The Splunk account is added the /etc/sudoers file to allow restarting the Splunk services.
Thank you
HI magriii,
how do you deploy updates: using a Deployment Server or an external tool.
If Deployment Server, remember to check the Splunkd restart checkbox in ServerClass.
If an external tool, remember to restart Splunk after updates.
Bye.
Giuseppe
Hi and thanks to both comments.
I'm using the Splunk server as a deployment server and wasn't aware that I needed to enable the restart option.
Now as I better know where to search I found this Question that discusses the same issue.
link text
I've enabled these values and things are good.
restartSplunkd = true
issueReload = true
restartIfNeeded = true
Hey
If you change the configuration files directly, splunk does not know you have changed something.
.conf files are never re-read before you actually restart Splunk, and that is actually the expected behaviour.
As @cusello has mentioned, if you are using a deployment server to pull changes to the Universal Forwarders, then you should make sure that:
https://docs.splunk.com/Documentation/MSApp/1.4.3/MSInfra/Setupadeploymentserver
HI magriii,
how do you deploy updates: using a Deployment Server or an external tool.
If Deployment Server, remember to check the Splunkd restart checkbox in ServerClass.
If an external tool, remember to restart Splunk after updates.
Bye.
Giuseppe