Lesser-known Splunk Enterprise features Part 1: Debug/Refresh
By Nate Hufnagel, Splunk Consultant II, Cybersecurity Engineering
Intro
The Splunk Enterprise platform supports several styling & behavior customizations that customers can take full advantage of. Some of these features are more obvious as your Splunk admin becomes more familiar with the UI, while others are not as obvious, even hidden. This two part series will discuss two of these hidden but powerful features of Splunk: debug/refresh and _bump.
First up: debug/refresh. This feature can be used to reload all splunkd registered EAI (Extensible Administration Interface) handlers via REST call. Put more plainly – most of Splunk’s configs and static assets can be reloaded or refreshed without having to restart the splunkd service. This includes props, transforms, inputs, dashboards, and many others. The full list of endpoints can be found in the Splunk docs, or by executing debug/refresh. Let’s take a look at a few examples.
In this first example, we’ll add a new search-time field extraction to props.conf and update our sourcetype without restarting Splunk. This is our list of fields before making any changes:
We’ll add another field called “ErrorMessage_2” to the sourcetype in props.conf. This can also be done through Splunk Web (Settings>Add Data)
[<sourectype>]
…
EXTRACT-ErrorMessage_2 = ErrorMessage\=(?<ErrorMessage_2>[^\]]+)
…
Next, we’ll edit our Splunk Web URL to the following:
http(s)://<host:mport>/debug/refresh
…where “host” is the hostname and “mport” is the web port number (8000 in this case).
Click “Refresh”, then it takes about a minute while all the endpoints reload.
Once the reload is complete, we’ll see the “Entity refresh control page” in our browser, as well as a list of all endpoints that we’re successfully reloaded.
Now, we’ll navigate back to Splunk Web and run the same search as before: http(s)://<host>:<mport> (should still be logged in).
After running the same search, we see our new field!
We can also reload more complex changes, like a custom app. For example, an app with a custom navigation bar and embedded HTML links can be installed and used without having to restart Splunkd!
In this next example, our custom app is named “html-link”. It contains on custom navigation tab called “Hyperlink” and an html link that can take us to an external site. We’ll follow the same steps as above to achieve this without restarting Splunkd:
Install the app
Perform the debug/refresh
Navigate back to Splunk Web home
Launch app
Before installing the app
Installing app
Performing debug/refresh
Navigating to/launching to app
To learn more about what Splunk resources can be reloaded with debug/refresh, check out the link to the Splunk docs below. Be on the lookout for Part 2, where we’ll dive into the “_bump” feature.
Link to Docs
https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomizationOptions
https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/customresteai
Let us know what you think! And for more information on TekStream offerings, visit our Splunk Services page.