Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about the replication factor in searchhead clustering.

munang
Path Finder
‎01-30-2024 04:00 AM

Hello. I am a Splunk newbie.

I have a question about the replication factor in searchhead clustering.


Looking at the docs it says that search artifacts are only replicated for scheduled saved searches.

https://docs.splunk.com/Documentation/Splunk/9.1.2/DistSearch/ChooseSHCreplicationfactor

munang_0-1706615714919.png

 

I'm curious as to the reason and advantage of duplicating search artifacts only in this case.

And, then, in the case of real-time search, is it correct that search artifacts are not replicated and only remain on the local server?

In that case, in a clustering environment, member 2 should not be able to see the search results of member 1.
But I can view it by using the loadjob command in member2.

Then, wouldn’t it be possible to view real-time search artifacts as well?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-30-2024 06:01 AM

Real-time searches are eeeeeevil and generally should not be used at all. Also there's not much to replicate in case of a real-time search since... they occur real-time and if you tried to run it another time you'd be running it with another set of data.

But if you meant ad-hoc search - I think the assumption is that ad-hoc search are used interactively so that you're not probably gonna need the results in another session, called with loadjob by another person logged in to another SHC member. With scheduled search it's different because a quite common way to optimize load is to schedule separate searches asynchronously so that one search uses the results from the already-performed search.

So it's simply that in some cases it seems to make much more sense than in others.

View solution in original post

Reply
Solved! Jump to solution

munang
Path Finder
‎01-31-2024 04:20 AM

@PickleRick 

Sorry for the late reply.

Thank you for the clear explanation. I understand!!! 

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-30-2024 06:01 AM

Real-time searches are eeeeeevil and generally should not be used at all. Also there's not much to replicate in case of a real-time search since... they occur real-time and if you tried to run it another time you'd be running it with another set of data.

But if you meant ad-hoc search - I think the assumption is that ad-hoc search are used interactively so that you're not probably gonna need the results in another session, called with loadjob by another person logged in to another SHC member. With scheduled search it's different because a quite common way to optimize load is to schedule separate searches asynchronously so that one search uses the results from the already-performed search.

So it's simply that in some cases it seems to make much more sense than in others.

Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...