Deployment Architecture

How do scheduled search works in a cluster?


hi team,

If i have created scheduled searches/jobs on one of our standalone Search Heads (Search Head "A") and after a couple of months if we add two more search heads ( "B" and "C" ) and made it a cluster. How do the scheduled searches work in a cluster?

  1. Since Searches have been initially created on Search Head "A" , will they always run on Search Head "A"?

  2. If it's yes for the above question, then in case at the scheduled time due to various reasons ( like if SH A goes down ), will they run on SH B or SH C?


  1. Captain of the Search Head Cluster decide where to run the scheduled searches in the cluster?

  2. If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?

How do they work? Please help me.


0 Karma


If you refer to Migrate settings from a standalone search head to a search head cluster the documentation effectively advises moving the config over to the deployer from the standalone search head and creating a search head cluster.

You don't migrate a standalone search head into a cluster as such, as per the documentation:

You cannot migrate the search head
instance itself, only its settings.
You can only add clean, new Splunk
Enterprise instances to a search head

You can of course get all the configuration off the standalone search head and have it on the search head cluster which would result in (B) part 1 in your question.

(B) part 2 said "If we have 5 Scheduled jobs or searches do we need to manually create them 2 on each Search Head to disperse the load?"

No, you create 5 on any search head in the cluster and the clustering replicates the config to all search heads, the captain then chooses which search head runs the search, more information in the docs around search head clustering.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...