Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I load balancing REST API searches to a search head cluster?

mdwecht
Path Finder
‎09-05-2021 06:16 PM

Splunkers,

I have an external analytic engine that is currently making Splunk REST API calls to a specific search head in a search head cluster to pull data sets for analysis. It works great but I want to be able to load balance these REST calls across the search head cluster and each search requires a minimum of three REST calls to start the search, check the search status, and retrieve any available search results. I am sure I am not the first individual to require this functionality. Is this functionality already available in Splunk? Has anyone seen an open source implementation? Does a Phantom instance connect to a single Splunk search head? I don't want to degrade the user experience on a search head by having it dedicated to serving up data sets. Please advise...

Thanks,

Mark

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2021 02:41 AM

As per Splunk docs, for search-head cluster you should use a load-balancer that can keep a sticky session.

So if you intiate a first connection with no additional cookies added to it, you should get a session, or a server cookie (depending on how your LB is configured) and you should send this cookie with subsequent requests in order to get to the same backend (search-head).

Then for next search you again send initial request without the cookie, get cookie in response and sent it with additional REST calls.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2021 02:41 AM

As per Splunk docs, for search-head cluster you should use a load-balancer that can keep a sticky session.

So if you intiate a first connection with no additional cookies added to it, you should get a session, or a server cookie (depending on how your LB is configured) and you should send this cookie with subsequent requests in order to get to the same backend (search-head).

Then for next search you again send initial request without the cookie, get cookie in response and sent it with additional REST calls.

0 Karma
Reply
Solved! Jump to solution

Akeydel
Explorer
‎05-10-2023 10:41 AM

Do you have a link to those Splunk docs?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...