Splunk Dev
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I load balancing REST API searches to a search head cluster?

mdwecht
Path Finder
‎09-05-2021 06:16 PM

Splunkers,

I have an external analytic engine that is currently making Splunk REST API calls to a specific search head in a search head cluster to pull data sets for analysis. It works great but I want to be able to load balance these REST calls across the search head cluster and each search requires a minimum of three REST calls to start the search, check the search status, and retrieve any available search results. I am sure I am not the first individual to require this functionality. Is this functionality already available in Splunk? Has anyone seen an open source implementation? Does a Phantom instance connect to a single Splunk search head? I don't want to degrade the user experience on a search head by having it dedicated to serving up data sets. Please advise...

Thanks,

Mark

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2021 02:41 AM

As per Splunk docs, for search-head cluster you should use a load-balancer that can keep a sticky session.

So if you intiate a first connection with no additional cookies added to it, you should get a session, or a server cookie (depending on how your LB is configured) and you should send this cookie with subsequent requests in order to get to the same backend (search-head).

Then for next search you again send initial request without the cookie, get cookie in response and sent it with additional REST calls.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2021 02:41 AM

As per Splunk docs, for search-head cluster you should use a load-balancer that can keep a sticky session.

So if you intiate a first connection with no additional cookies added to it, you should get a session, or a server cookie (depending on how your LB is configured) and you should send this cookie with subsequent requests in order to get to the same backend (search-head).

Then for next search you again send initial request without the cookie, get cookie in response and sent it with additional REST calls.

0 Karma
Reply
Solved! Jump to solution

Akeydel
Explorer
‎05-10-2023 10:41 AM

Do you have a link to those Splunk docs?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top