Hi,
I've got four indexers and two search heads in a distributed environment. I've got a new sourcetype coming into my indexers from a forwarder which hasn't been configured yet.
When I define it in props.conf:
[mysourcetype]
TIME_PREFIX=starttime
blah blah blah
am I able to use | extract reload=true instead of a full splunkd restart? Will it have the same effect? I'm always hesitant to do a full restart of indexers as it is a critical component of our monitoring.
Thanks,
Matt
