This will be a very brief post, to fulfill my obligations. I’ll share something a little more informative, perhaps even more interesting, in an upcoming post (soon… I promise (kinda) this time).

As of Splunk 4.0, our old somewhat-of-an-API has been replaced with an entirely new REST API, invalidating my old post on reloading authentication from the command line.

Sooo….. in 4.x, you can restart the authentication system with the following command:

$ splunk _internal call /authentication/providers/services/_reload -auth admin:changeme

Any errors should be obvious in the resulting XML. As of 4.0.3, you’ll also get a non-zero return code upon receiving errors from the API. And I’ve filed a bug (just now) to expose this as a real CLI command, so soon this post will no longer be very important.

Happy now, Simeon?

Note: Tina pointed out that this does not apply to the authorize.conf file. This will be fixed in an upcoming version of splunk.

This comes up every once in a while on the support channel (EFnet/#splunk), so I guess that means I should do a blog post on it.

If you’re making changes to the authentication.conf file and want to reload Splunk’s auth system without going through the web UI, you can use one of our internal functions to do it at the command line:

$ splunk _internal rpc-auth ‘<call name=”syncAuth”><params/></call>’

This fires off the same call that the UI would use to reload the auth system, so it functions identically. Note that this is an authenticated call, so you’ll need to use one of the standard authentication methods (-auth, splunk login, or the SPLUNK_USERNAME/SPLUNK_PASSWORD env vars…).