https://community.splunk.com/t5/Splunk-Search/Real-time-alerting-with-search-head-pooling/m-p/36607#M8130 <P>Hi,</P> <P>We have a distributed environment with 2 search heads in a pool (for LB and HA) running v4.3.0 (upgrading shortly). <BR /> When scheduling real-time searches, both search heads start processing the events simultaneously (There is splunkd search processes running on each search head).<BR /> Then when an alert if fired, both search heads trigger the alert (for example, both search heads send an email; even with throttling enabled).</P> <P>1.Is it correct that both search heads run the scheduled real-time search? What is the benefit of this, as is just seems to put undue load on the environment?</P> <P>2.Is it possible to restrict this real-time searching to only occur on one or the two search heads?</P> <P>Thanks,<BR /> Mark</P> Thu, 16 Aug 2012 04:48:57 GMT mark 2012-08-16T04:48:57Z https://community.splunk.com/t5/Splunk-Search/Real-time-alerting-with-search-head-pooling/m-p/36607#M8130 <P>Hi,</P> <P>We have a distributed environment with 2 search heads in a pool (for LB and HA) running v4.3.0 (upgrading shortly). <BR /> When scheduling real-time searches, both search heads start processing the events simultaneously (There is splunkd search processes running on each search head).<BR /> Then when an alert if fired, both search heads trigger the alert (for example, both search heads send an email; even with throttling enabled).</P> <P>1.Is it correct that both search heads run the scheduled real-time search? What is the benefit of this, as is just seems to put undue load on the environment?</P> <P>2.Is it possible to restrict this real-time searching to only occur on one or the two search heads?</P> <P>Thanks,<BR /> Mark</P> Thu, 16 Aug 2012 04:48:57 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-alerting-with-search-head-pooling/m-p/36607#M8130 mark 2012-08-16T04:48:57Z https://community.splunk.com/t5/Splunk-Search/Real-time-alerting-with-search-head-pooling/m-p/36608#M8131 <P>Sounds a bit strange. Real-time searches aren't that much different from normal searches and Splunk is taking care that only 1 search head in a pool is running each scheduled search. </P> <P>1) Search heads don't distribute jobs to another search heads but their search peers (aka indexers). If your search heads are also indexers then I suppose it's normal you see some activity on both systems.</P> <P>2) You can disable all scheduled searches on search head. I assume this would also disable real-time searches. See <A href="http://splunk-base.splunk.com/answers/30640/how-does-search-head-pooling-work-with-scheduled-searches">"how does search head pooling work with scheduled searches?"</A><BR /> This might act as work-a-round for you problem.</P> <P>BTW: Are you sure you aren't sending the same data to both your indexers? Ie. how did you verified both alerts were triggered from the same SINGLE event?</P> Thu, 16 Aug 2012 05:33:14 GMT https://community.splunk.com/t5/Splunk-Search/Real-time-alerting-with-search-head-pooling/m-p/36608#M8131 kallu 2012-08-16T05:33:14Z