- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to make a search head not run any searches?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a search head cluster with 5 individual search heads. 1 of those servers is a simple VM which was deployed as a quorum search head. The main purpose of this search head is to make the captain election easier in the cluster. We do not want this search head to run any searches since the resources allocated to this VM is minimal. Is there a way in which we could force this to not run any searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone. The solution is to put the search head into detention mode. By this the node doesnt receive any searches at all.
https://docs.splunk.com/Documentation/Splunk/7.2.5/DistSearch/SHdetention
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This problem underscores why it is important for all SHs in a cluster to have the same configuration. The SHC captain assumes all cluster members have the same resources when assigning jobs and any member with less memory or fewer CPUs will find itself short on resources.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone. The solution is to put the search head into detention mode. By this the node doesnt receive any searches at all.
https://docs.splunk.com/Documentation/Splunk/7.2.5/DistSearch/SHdetention
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu can make that SH an adhoc SH and don't include that SH node in the Search Head VIP that you're using.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this suggestion. This will also work but I am looking to completely turn off searches. I think turning off the manual detention is the solution here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain further how this will make the captain election easier? What issues have you found with your electron process? How frequently does your SHC elect a new captain?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was configured by Splunk professional services consultant so I dont have solid reason. We initially had even number of search heads and it was suggested that a quorum search head is required to make the cluster have odd number of search heads which in turn will make it easier for captain election. There is no issues with captain election or anything. The problem is with a particular search head running out of memory. We do not want this search head to execute any searches.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
