Deployment Architecture

How to make a search head not run any searches?

skrish91
Path Finder

We have a search head cluster with 5 individual search heads. 1 of those servers is a simple VM which was deployed as a quorum search head. The main purpose of this search head is to make the captain election easier in the cluster. We do not want this search head to run any searches since the resources allocated to this VM is minimal. Is there a way in which we could force this to not run any searches?

0 Karma
1 Solution

skrish91
Path Finder

Thanks everyone. The solution is to put the search head into detention mode. By this the node doesnt receive any searches at all.

https://docs.splunk.com/Documentation/Splunk/7.2.5/DistSearch/SHdetention

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This problem underscores why it is important for all SHs in a cluster to have the same configuration. The SHC captain assumes all cluster members have the same resources when assigning jobs and any member with less memory or fewer CPUs will find itself short on resources.

---
If this reply helps you, Karma would be appreciated.
0 Karma

skrish91
Path Finder

Thanks everyone. The solution is to put the search head into detention mode. By this the node doesnt receive any searches at all.

https://docs.splunk.com/Documentation/Splunk/7.2.5/DistSearch/SHdetention

0 Karma

somesoni2
Revered Legend

YOu can make that SH an adhoc SH and don't include that SH node in the Search Head VIP that you're using.

0 Karma

skrish91
Path Finder

Thanks for this suggestion. This will also work but I am looking to completely turn off searches. I think turning off the manual detention is the solution here.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Can you explain further how this will make the captain election easier? What issues have you found with your electron process? How frequently does your SHC elect a new captain?

0 Karma

skrish91
Path Finder

It was configured by Splunk professional services consultant so I dont have solid reason. We initially had even number of search heads and it was suggested that a quorum search head is required to make the cluster have odd number of search heads which in turn will make it easier for captain election. There is no issues with captain election or anything. The problem is with a particular search head running out of memory. We do not want this search head to execute any searches.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...