Deployment Architecture

How do scheduled search works in a cluster?

hi team,

If i have created scheduled searches/jobs on one of our standalone Search Heads (Search Head "A") and after a couple of months if we add two more search heads ( "B" and "C" ) and made it a cluster. How do the scheduled searches work in a cluster?

  1. Since Searches have been initially created on Search Head "A" , will they always run on Search Head "A"?

  2. If it's yes for the above question, then in case at the scheduled time due to various reasons ( like if SH A goes down ), will they run on SH B or SH C?

OR

  1. Captain of the Search Head Cluster decide where to run the scheduled searches in the cluster?

  2. If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?

How do they work? Please help me.

Thanks,
SM

0 Karma

SplunkTrust
SplunkTrust

If you refer to Migrate settings from a standalone search head to a search head cluster the documentation effectively advises moving the config over to the deployer from the standalone search head and creating a search head cluster.

You don't migrate a standalone search head into a cluster as such, as per the documentation:

You cannot migrate the search head
instance itself, only its settings.
You can only add clean, new Splunk
Enterprise instances to a search head
cluster.

You can of course get all the configuration off the standalone search head and have it on the search head cluster which would result in (B) part 1 in your question.

(B) part 2 said "If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?"

No, you create 5 on any search head in the cluster and the clustering replicates the config to all search heads, the captain then chooses which search head runs the search, more information in the docs around search head clustering.

0 Karma