Solved: Restart Splunk Search Head only in single host ins...

adckia · ‎05-02-2019

Hello,
In a test environment, we have a single-host installation of Splunk Enterprise, i.e.
- License Master
- Indexer (single, no cluster)
- Deployment Server
- Search Head (single, no cluster)
- Monitoring Console
all run on the same machine.
The question is: How can we restart the Search Head (in order to have it reload the apps an saved searches from the file system) without stopping the other Splunk processes (in particular, we don't want the Indexer to stop)?
Thanks for any hints.

enicholson_splu · ‎05-02-2019

You can do a debug/refresh which will not stop the Splunk service:

http://localhost:8000/en-US/debug/refresh

However, an App install or particular changes may require a Splunk restart.

View solution in original post

enicholson_splu · ‎05-02-2019

You can do a debug/refresh which will not stop the Splunk service:

http://localhost:8000/en-US/debug/refresh

However, an App install or particular changes may require a Splunk restart.

adckia · ‎05-03-2019

Thanks for the hint.
Does this also reload an app updated on the file system?

enicholson_splu · ‎05-03-2019

It will reload/refresh config changes. If it is a new App install or upgrade it may need a restart.

adckia · ‎05-03-2019

It works for my current purpose of reloading the alerts.
Thank you very much.

Restart Splunk Search Head only in single host installation of Splunk Enterprise

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases