Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can an alert be run from a specific Search Head in a clustered environment?

nicofantinato
Path Finder
‎11-02-2020 09:03 AM

Hi all,

we have a Splunk Enterprise clustered environment, with a cluster of 3 search heads.

For many reasons, a lookup file is updated once a day in only one of these search heads (the first one).

To update this lookup file also in the other two search heads, we set up a scheduled search with the following string:

 

 

| inputlookup my_lookup_table.csv
| outputlookup my_lookup_table.csv

 

 

Since if this search is run from a different search head than the number one the lookup is not updated, is it possible to run it always from the same search head? I know we could send the lookup via SFTP to the other search heads servers, but if possible we'd like to avoid it.

Thanks in advance.

Labels (2)
Labels
0 Karma
Reply

Azeemering
Builder
‎11-02-2020 09:55 AM


What am I missing here? If you have clustered search heads you also should have configured cluster replication. For a search head cluster to function properly, its members must all use the same set of search-related configurations. 

https://docs.splunk.com/Documentation/Splunk/8.1.0/DistSearch/HowconfrepoworksinSHC

But if you want to run a search from a specific search head you could theoretically configure all the other search heads to only run ad hoc searches. ‌‌In server.conf add the following 😂

[shclustering]
adhoc_searchhead = true

0 Karma
Reply

nicofantinato
Path Finder
‎11-03-2020 12:29 AM

Hi Azeemering. Yep, cluster replication is configured, but if you copy a lookup file under $SPLUNK_HOME/etc/apps/app_name/lookups it is updated only on that specific search head, replication is done only if click Save button from web console... or at least this is the behaviour we observed in our environment.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-02-2020 09:39 AM

The SHC captain decides which member will run each scheduled search.  There is no provision for overriding that decision.

How is the lookup file updated in the first place?  Could that utility also update the other SHC members?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nicofantinato
Path Finder
‎11-03-2020 12:33 AM

Hi richgalloway. 

"The SHC captain decides which member will run each scheduled search.  There is no provision for overriding that decision." that's what we were afraid of.

The lookup comes form a curl command, a script launches the command once a day in only one of the search heads. Security guys want us to do this way.

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

Buttercup Games: Further Dashboarding Techniques (Part 3)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...
li.common.scroll-to.top