Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do scheduled search works in a cluster?

mallempatisreed
Explorer
‎09-24-2018 09:04 AM

hi team,

If i have created scheduled searches/jobs on one of our standalone Search Heads (Search Head "A") and after a couple of months if we add two more search heads ( "B" and "C" ) and made it a cluster. How do the scheduled searches work in a cluster?

  1. Since Searches have been initially created on Search Head "A" , will they always run on Search Head "A"?

  2. If it's yes for the above question, then in case at the scheduled time due to various reasons ( like if SH A goes down ), will they run on SH B or SH C?

OR

  1. Captain of the Search Head Cluster decide where to run the scheduled searches in the cluster?

  2. If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?

How do they work? Please help me.

Thanks,
SM

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-24-2018 03:29 PM

If you refer to Migrate settings from a standalone search head to a search head cluster the documentation effectively advises moving the config over to the deployer from the standalone search head and creating a search head cluster.

You don't migrate a standalone search head into a cluster as such, as per the documentation:

You cannot migrate the search head
instance itself, only its settings.
You can only add clean, new Splunk
Enterprise instances to a search head
cluster.

You can of course get all the configuration off the standalone search head and have it on the search head cluster which would result in (B) part 1 in your question.

(B) part 2 said "If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?"

No, you create 5 on any search head in the cluster and the clustering replicates the config to all search heads, the captain then chooses which search head runs the search, more information in the docs around search head clustering.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...