Hi @0xAli 

The primary role of the adhoc SH here would be to run non-security based searches/workloads. This could be management reports, scheduled searches to monitoring the health of your Splunk Deployment, ITOps etc. 

I would typically recommend ensuring that users who only need to perform general IT or operational searches are granted access only to the Ad-hoc Search Head whilst reserving access to the ES Search Head Cluster exclusively for security analysts and SOC operations as its important for the security users to have their context available (e.g. lookup contents) when performing investigations therefore in most circumstances it would be better for them to do so on the ES SHC not AdHoc. 

The other thing is that is that ES users might be prompted to run drilldown searches from their investigations/findings and it could become problematic if they are trying to switch SHs. 

Therefore you would only need to install the relevant apps for the searches/dashboarding you plan to perform on your Adhoc SH rather than all the complimentary ES TAs.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@0xAli As per your setup, Splunk Enterprise Security (ES) deployment with a search head cluster along with the adhoc search head serves a distinct role. It is configured to handle interactive, non-scheduled searches and dashboards, like adhoc searches run by users during an investigation and stuff like that, effectively offloading general workloads from the ES cluster.

You can configure the setting 'adhoc_searchhead = true' in server.conf. This setting configures a member as an ad-hoc search head. This adhoc search head member does not run scheduled jobs and handles adhoc search requests.

Another strategy is you can also make the captain node in a cluster as adhoc search head to reduce its compute load since it manages the cluster member functions. Use the setting 'captain_is_adhoc_searchhead' to reduce compute load on the captain.

The idea is to keep ES workloads isolated on the ES SH cluster, while the adhoc SH provides a place for users to run exploratory searches and dashboards without impacting correlation searches or risk analysis.

On the app installation part, you can install any supported or custom apps or add-ons as required that provide visualization or reporting requirements for your environment.

Refer the server.conf link provided for referencing the setting. Hope it clarifies.

Ref: server.conf | Platform (last updated 2026-02-07T13:35:36.291Z)

>>

If this post addressed your question, you can:

• Give it karma to show appreciation 👍
• Mark it as the solution if it solved your issue ✔️
• Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>