All,
I am bringing in a number of configs as sourcetype=config_file via inputs.conf and I am pretty happy with it. How ever the index I am using is aging out some of the config_files. Is there a way to ensure the config files are reread every week or so in addition to bringing them in when the file changes?
Ended up giving up and creating a one line script that just says "cat /etc/passwd and created these stanzas. Verified the cat output is Md5 identical to to a monitor input so works out.
# /etc/passwd
[monitor:///etc/passwd]
index=os
sourcetype=config_file
disabled = 0
[script://./bin/catPasswd.sh]
sourcetype = config_file
source=/etc/passwd
interval = 86400
index = os
disabled = 0
[fschange:/etc/passwd]
index = os
recurse = false
pollPeriod = 60
hashMaxSize=1000
disabled = 0
Ended up giving up and creating a one line script that just says "cat /etc/passwd and created these stanzas. Verified the cat output is Md5 identical to to a monitor input so works out.
# /etc/passwd
[monitor:///etc/passwd]
index=os
sourcetype=config_file
disabled = 0
[script://./bin/catPasswd.sh]
sourcetype = config_file
source=/etc/passwd
interval = 86400
index = os
disabled = 0
[fschange:/etc/passwd]
index = os
recurse = false
pollPeriod = 60
hashMaxSize=1000
disabled = 0
Hi daniel333,
there is the /debug/refresh
endpoint to reload configs, but be aware it will reload inputs on the fly and current connection will just be dropped.
The other option is to check a specific REST endpoint http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTlist if it supports the _reload
option and only reload the specific endpoint.
Hope this helps ...
cheers, MuS
Update, if you want to reload just one config using the debug/refresh
endpoint you can follow this instruction http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart#...
I just realised that I completely misunderstood your question :facepalm: