Deployment Architecture

How do scheduled search works in a cluster?

mallempatisreed
Explorer

hi team,

If i have created scheduled searches/jobs on one of our standalone Search Heads (Search Head "A") and after a couple of months if we add two more search heads ( "B" and "C" ) and made it a cluster. How do the scheduled searches work in a cluster?

  1. Since Searches have been initially created on Search Head "A" , will they always run on Search Head "A"?

  2. If it's yes for the above question, then in case at the scheduled time due to various reasons ( like if SH A goes down ), will they run on SH B or SH C?

OR

  1. Captain of the Search Head Cluster decide where to run the scheduled searches in the cluster?

  2. If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?

How do they work? Please help me.

Thanks,
SM

0 Karma

gjanders
SplunkTrust
SplunkTrust

If you refer to Migrate settings from a standalone search head to a search head cluster the documentation effectively advises moving the config over to the deployer from the standalone search head and creating a search head cluster.

You don't migrate a standalone search head into a cluster as such, as per the documentation:

You cannot migrate the search head
instance itself, only its settings.
You can only add clean, new Splunk
Enterprise instances to a search head
cluster.

You can of course get all the configuration off the standalone search head and have it on the search head cluster which would result in (B) part 1 in your question.

(B) part 2 said "If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?"

No, you create 5 on any search head in the cluster and the clustering replicates the config to all search heads, the captain then chooses which search head runs the search, more information in the docs around search head clustering.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...