Deployment Architecture

In our environment we have two search head (A & B)

satkan100
Path Finder

In our environment we have two search head (A & B) but we have configured A search head nearly 3000 Scheduled alert we have observed more load hence we will planning to share scheduled alert load to B search head how can move 1500 A search head scheduled alert to B search head.

Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

If you have the resources for it, the suggestion by @p_gurav to implement search head clustering is a great one. If not, what you're talking about will involve moving/copying savedsearches.conf files and associated metadata. When I needed to move saved searches from one search head to another, I copied the entire app folder $SPLUNK_HOME/etc/apps/my_app to a backup location. I then used vim to modify the savedsearches.conf file to set enabled=0 for all of the searches. I copied the entire app folder from this backup location onto the second search head and systematically enabled saved searches on the new search head as I disabled them on the first search head. (I did this in batches by editing the savedsearches.conf files on both search heads and then using debug/refresh to cause Splunk to pick up the configuration changes.)

View solution in original post

0 Karma

elliotproebstel
Champion

If you have the resources for it, the suggestion by @p_gurav to implement search head clustering is a great one. If not, what you're talking about will involve moving/copying savedsearches.conf files and associated metadata. When I needed to move saved searches from one search head to another, I copied the entire app folder $SPLUNK_HOME/etc/apps/my_app to a backup location. I then used vim to modify the savedsearches.conf file to set enabled=0 for all of the searches. I copied the entire app folder from this backup location onto the second search head and systematically enabled saved searches on the new search head as I disabled them on the first search head. (I did this in batches by editing the savedsearches.conf files on both search heads and then using debug/refresh to cause Splunk to pick up the configuration changes.)

0 Karma

p_gurav
Champion

Did you try using search head clustering? Refer below doc: http://docs.splunk.com/Documentation/Splunk/7.0.3/DistSearch/SHCdeploymentoverview

Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...