Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does disabling or enabling apps require a restart of the splunkd process in Splunk 6.3.0?

langhorn
Explorer
‎10-27-2015 03:31 AM

Prior to upgrading to 6.3.0 from 6.1 I would like to know if disabling and enabling of APPs require a restart of the splunkd process in 6.3.0?

In version 6.3.0 the splunkweb process does not exist unless SPLUNK is run in legacy mode, and I would like to avoid running in legacy mode, hence it is not possible to only restart splunkweb.

Reason for asking is that I want to disable an APP that tends to generate an alert storm after restarting splunkd and then to enable the APP once SPLUNK has ingested the data backlog after restart. A second restart of splunkd would defeat the purpose of disabling the APP in the first place.

Thanks.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-27-2015 04:42 AM

I'm not sure officially, but even though splunkweb is not an official separate process I can still restart it.

splunk@crn-splsh-01:~$ splunk version
Splunk 6.3.0 (build aa7d4b1ccb80)

and

splunk@crn-splsh-01:~$ splunk restart splunkweb
Your session is invalid.  Please login.
Splunk username: myuser
Password:
Splunk's web interface has been restarted.

Obviously, test and check on this and make sure it still does the same things it used to. It has seemed to me to work the same way, though.

While it doesn't seem to discuss this particular change, more info on when to restart is here.

0 Karma
Reply

langhorn
Explorer
‎10-27-2015 05:26 AM

Thanks.
I do not have a test system available at the moment to verify the behaviour, so it makes it difficult for me to test it beforehand.
I am just looking at the current 6.1 behaviour, where I get a warning that I need to restart Splunk in order to enable even a simple test APP.

The fact that the splunk restart splunkweb command seems to work does not mean that it actually does anything.
Here is an extract from the 6.3.0 Admin manual

Note: If either the startwebserver attribute is disabled, or the appServerPorts
attribute is set to anything other than 0 in web.conf, then manually starting
splunkweb does not do anything. The splunkweb process will not start in either
case.

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...