Solved: If a search head goes down do alerts queue until i...

Munju1 · ‎07-22-2021

We have one ES search head in a distributed environment.

1. If the search head goes down, do alerts queue up and trigger actions once Splunk is back up?

2. If yes, for what period of time are alerts retained for?

Thank you.

richgalloway · ‎07-22-2021

If a search head goes down no Splunk work can be done so there is no queuing of searches/alerts. Once the SH comes back up then searches will execute at their next interval. There is no "catch-up".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-22-2021

If a search head goes down no Splunk work can be done so there is no queuing of searches/alerts. Once the SH comes back up then searches will execute at their next interval. There is no "catch-up".

---
If this reply helps you, Karma would be appreciated.

If a search head goes down do alerts queue until it returns?

alert action

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation