Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In our environment we have two search head (A & B)

satkan100
Path Finder
‎04-13-2018 03:32 AM

In our environment we have two search head (A & B) but we have configured A search head nearly 3000 Scheduled alert we have observed more load hence we will planning to share scheduled alert load to B search head how can move 1500 A search head scheduled alert to B search head.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-13-2018 08:05 AM

If you have the resources for it, the suggestion by @p_gurav to implement search head clustering is a great one. If not, what you're talking about will involve moving/copying savedsearches.conf files and associated metadata. When I needed to move saved searches from one search head to another, I copied the entire app folder $SPLUNK_HOME/etc/apps/my_app to a backup location. I then used vim to modify the savedsearches.conf file to set enabled=0 for all of the searches. I copied the entire app folder from this backup location onto the second search head and systematically enabled saved searches on the new search head as I disabled them on the first search head. (I did this in batches by editing the savedsearches.conf files on both search heads and then using debug/refresh to cause Splunk to pick up the configuration changes.)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-13-2018 08:05 AM

If you have the resources for it, the suggestion by @p_gurav to implement search head clustering is a great one. If not, what you're talking about will involve moving/copying savedsearches.conf files and associated metadata. When I needed to move saved searches from one search head to another, I copied the entire app folder $SPLUNK_HOME/etc/apps/my_app to a backup location. I then used vim to modify the savedsearches.conf file to set enabled=0 for all of the searches. I copied the entire app folder from this backup location onto the second search head and systematically enabled saved searches on the new search head as I disabled them on the first search head. (I did this in batches by editing the savedsearches.conf files on both search heads and then using debug/refresh to cause Splunk to pick up the configuration changes.)

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-13-2018 05:32 AM

Did you try using search head clustering? Refer below doc: http://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/SHCdeploymentoverview

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...