Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Head Cluster - Scheduled Search Running only in one instance

ykpramodhcbt
Path Finder
‎12-01-2017 05:09 AM

Hi All,

We have a search head cluster with 3 search heads along with a deployer. We have a scheduled search which runs a query every 8 hours and pushes the data to the "summary indexes". Though the search is scheduled on all the search heads (SH1, SH2, SH3), we observed that the summary index calculation is happening only in one of the search heads. Is this a default setting?

Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-01-2017 05:17 AM

Hi @ykpramodhcbt,

When you schedule a search in Search Head Cluster, it will run only on 1 search head not all search heads. In Search Head Cluster, captain will decide(Baed on load on SH) on which SH scheduled search will run so it will be fine if is running on same server on daily basis.

Additionally also check whether you have configured to run ad-hoc searches only on 2 search heads based on this documentation? If so then 2 search heads will run ad-hoc searches only and only 1 search head will run schedule searches.

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-01-2017 05:17 AM

Hi @ykpramodhcbt,

When you schedule a search in Search Head Cluster, it will run only on 1 search head not all search heads. In Search Head Cluster, captain will decide(Baed on load on SH) on which SH scheduled search will run so it will be fine if is running on same server on daily basis.

Additionally also check whether you have configured to run ad-hoc searches only on 2 search heads based on this documentation? If so then 2 search heads will run ad-hoc searches only and only 1 search head will run schedule searches.

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-04-2017 06:51 AM

Hi @ykpramodhcbt,

Comment which I have provided helped you to figure out problem you are facing?

0 Karma
Reply
Solved! Jump to solution

ykpramodhcbt
Path Finder
‎12-04-2017 09:39 PM

Hi, It is helpful.

Can you please let us know how we can figure out which search head picked up a scheduled search?

Currently we are running the following command on all seach heads -
$ cat splunkd.log | grep "searchname"

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-04-2017 09:51 PM

If you are forwarding your search head logs to indexer then you can use query index=_internal host=<Sead Heads> source=*scheduler.log* to find out which search ran on which search heads. I am not in front of my splunk instance otherwise I'll provide more accurate query.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...