Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"Splunk must be restarted" message will not go away.

I_am_Jeff
Communicator
‎01-27-2012 11:33 AM

Running version 4.2.3 on a dedicated indexer.

A few days ago we got the dreaded, "Splunk must be restarted for changes to take effect. Click here to restart from the Manager," message.

  • We restart Splunk, both via the command line and through the GUI. The message reappears.
  • We stop Splunk via the command line. Wait several minutes and restart. The message reappears.
  • We click "Clear Restart Message" and the message reappears immediately.

Any ideas? Even a hint on what logs to look at?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-28-2012 09:37 AM

Please check the following Splunk Answer to see if it matches the issue you are encountering and if the proposed work-around will work for you.

View solution in original post

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎01-28-2012 12:41 PM

Note that the SoS app in its version 2.x should not be installed on your indexers, only on your search-head. For best practices on deploying SoS in a distributed environment, please read this Splunk Answer.

0 Karma
Reply
Solved! Jump to solution

tmeader
Contributor
‎01-28-2012 11:17 AM

I actually opened a bug on this with Splunk (don't know if they've identified the actual issue yet) and there is a workaround available in S.o.S 2.1:

http://splunk-base.splunk.com/answers/37102/persistent-splunk-must-be-restarted-for-changes-to-take-...

Hope that helps you too.

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎01-28-2012 12:34 PM

Indeed, the issue that @tmeader is referencing is a core Splunk bug which has been filed under reference SPL-46736. For more details, please read the Splunk Answer referenced above.

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-28-2012 09:37 AM

Please check the following Splunk Answer to see if it matches the issue you are encountering and if the proposed work-around will work for you.

Reply
Solved! Jump to solution

I_am_Jeff
Communicator
‎01-27-2012 12:09 PM

SoS is version 2.1.0 on both indexers.

0 Karma
Reply
Solved! Jump to solution

I_am_Jeff
Communicator
‎01-27-2012 12:07 PM

Update

I disabled S.o.S. Message appeared saying something like SoS was disabled and an index size change was made, please restart. Restarted and message has been gone for the last 30 minutes. (I previously tried changing the size of an index via the GUI to see if it would get the message to go away after a restart.) I have another indexer with SoS enabled, but no messages about restarting on that one.

I enabled SoS and message reappears. "User 'iamjeff' triggered the 'disable' action on app 'sos', and the following objects required a restart: indexes."

SoS disabled. No message again.

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...