Getting Data In

Why does the Linux Centos Forwarder does not automatically load changes from inputs.conf?

magriii
Explorer

Hi,

We have some centos 7.4 systems with Splunk forwarder 7.0.0 installed.
Changes for data inputs are distributed to the agent's inputs.conf file, but the agent does not automatically use these new settings.
After we manually restart the Splunk service the updated inputs.conf file is read and used.

The agent is running under a dedicated account named Splunk. The Splunk account is added the /etc/sudoers file to allow restarting the Splunk services.

Thank you

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

HI magriii,
how do you deploy updates: using a Deployment Server or an external tool.

If Deployment Server, remember to check the Splunkd restart checkbox in ServerClass.
If an external tool, remember to restart Splunk after updates.

Bye.
Giuseppe

View solution in original post

0 Karma

magriii
Explorer

Hi and thanks to both comments.
I'm using the Splunk server as a deployment server and wasn't aware that I needed to enable the restart option.
Now as I better know where to search I found this Question that discusses the same issue.
link text

I've enabled these values and things are good.
restartSplunkd = true
issueReload = true
restartIfNeeded = true

0 Karma

tiagofbmm
Influencer

Hey

If you change the configuration files directly, splunk does not know you have changed something.

.conf files are never re-read before you actually restart Splunk, and that is actually the expected behaviour.

As @cusello has mentioned, if you are using a deployment server to pull changes to the Universal Forwarders, then you should make sure that:

  • after changing some configuration in an app under deployment_apps, you must splunk repload deploy-server in order to make the DS aware you changed things are recreate a checksum of what you have in the app
  • the serverclass should have the option "restart splunk" enabled so your Universal Forwarders restart automatically and your changes turn into runtime configurations.

https://docs.splunk.com/Documentation/MSApp/1.4.3/MSInfra/Setupadeploymentserver

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI magriii,
how do you deploy updates: using a Deployment Server or an external tool.

If Deployment Server, remember to check the Splunkd restart checkbox in ServerClass.
If an external tool, remember to restart Splunk after updates.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...