Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

On which server should I deploy the Alerting: the search head or indexer node?

sbeamro
Explorer
‎01-05-2015 04:31 AM

Hi,
I'm running a configuration of 1 Search Head and 2 Index Nodes (one of them acts as License node).
I'd like to create real-time alerting and I was wondering what would be the best practice ?
should I deploy the searches of the alert over the search head or over the index nodes ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎01-05-2015 04:37 AM

On the Search Head. Just one simple argument: the search head is able to search both indexers if given as search peers. The indexer may only know the data on itself, not on the other indexer.

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎01-05-2015 04:37 AM

On the Search Head. Just one simple argument: the search head is able to search both indexers if given as search peers. The indexer may only know the data on itself, not on the other indexer.

Reply
Solved! Jump to solution

linu1988
Champion
‎01-05-2015 04:41 AM

Adding to that, Don't configure the script for real time alerts, it will continuously trigger the script every minute irrespective of the results found or not.

Reply
Solved! Jump to solution

sbeamro
Explorer
‎01-05-2015 04:46 AM

when you say dont configure the script - do you mean for the search proccess ?
is there any best practice guide lines ?
(for example, we have some major switch interfaces etc)

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎01-05-2015 05:49 AM

I was refering to the script which is configured for a realtime alert. I personally feel there is not much use of a realtime alert. rather schedule it to run every minute or two. It will affect the performance for sure as the CPU core will be occupied. There is no best practice available currently but you will know this by experimenting in your test environment.

0 Karma
Reply
Solved! Jump to solution

sbeamro
Explorer
‎01-05-2015 04:40 AM

Tom, thats an excellent point !

I was wondering about the question if there is any effect over the performance of the search head or of the indexers.

by the way - do I lose performance when I run real-time alerting ? if so do do I lose performance on the indexer and the search head ?

can you elaborate ?

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎01-05-2015 04:47 AM

Hey,
there is an excellent part of the documentation that covers your questions -> Link

Grettings

Tom

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...