Splunk Enterprise Admin: Restarting Instances

Quick reference for restarting Splunk safely across different environments.

Single instance (Linux)

Use the Splunk CLI (run as the splunk OS user):

$SPLUNK_HOME/bin/splunk restart
# or stop/start
$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk start

If installed as a systemd service (after enable boot-start):

sudo systemctl restart splunk
# check status
sudo systemctl status splunk

Single instance (Windows)

PowerShell:

Restart-Service -Name "Splunkd"

Command Prompt:

sc stop Splunkd && sc start Splunkd

Or restart via Services (services.msc): service name is “Splunkd”.

Indexer Cluster: Rolling restart of peers

Run on the Cluster Manager (formerly Master):

$SPLUNK_HOME/bin/splunk rolling-restart cluster-peers

Notes:

• This restarts peers one at a time to maintain data availability.
• If you pushed a bundle that requires restart, apply cluster-bundle may trigger a rolling restart automatically. Explicit command above gives you control.

Search Head Cluster: Rolling restart

Run on the captain (or any member; the captain orchestrates):

$SPLUNK_HOME/bin/splunk rolling-restart shcluster-members

Notes:

• Sessions are preserved as members cycle.
• Make sure the cluster is healthy before starting.

Cluster Manager / Deployer

• Cluster Manager (Indexers): standard restart is fine during maintenance windows:

$SPLUNK_HOME/bin/splunk restart

• Deployer (Search Heads): restart after large app/deployment changes if needed:

$SPLUNK_HOME/bin/splunk restart

Verify after restart

$SPLUNK_HOME/bin/splunk status
# or
curl -sk https://<host>:8089/services/server/info --user admin:*****

Good practices

• Run CLI as the Splunk service user (often splunk).
• Prefer rolling restarts on clusters to avoid downtime.
• Schedule maintenance windows for single-instance restarts.
• Check splunkd.log if a node fails to come back up: $SPLUNK_HOME/var/log/splunk/splunkd.log.