Solved: Does Splunk distribute individual member searches ...

wmyersas · ‎12-01-2020

Like the title says - how are individual searches in a multisearch handled?

Are they distributed across any/all available search slots on any/all available Search Heads? Or do they only run on the Search Head that initiates the search?

Say you have several Search Heads in a Search Head Cluster.

And you have a multisearch like the following:

| multisearch
   [| search index=ndxA sourcetype=srctpA fieldA=* 
   | fields fieldA ]
   [| search index=ndxB sourcetype=srctpB fieldA=* fieldB=* 
   | fields fieldA fieldB ]
   [| search index=ndxC sourcetype=srctpC fieldB=* 
   | fields fieldB ]
   [| inputlookup MyFancyLookup where myLField1=G* 
   | fields myLField1 fieldA fieldB ]
| fillnull value="-" fieldA fieldB myLField1
| stats count by fieldA fieldB myLField1

Will each of the | search or | inputlookup lines run, potentially, on a different Search Head? Or will they all be run from the initiating Search Head?

wmyersas · ‎12-02-2020

User halr9000 on /r/Splunk cited "Dr Z" (Steve Zhang) as saying these are all run on the initiating Search Head

View solution in original post

wmyersas · ‎12-02-2020

User halr9000 on /r/Splunk cited "Dr Z" (Steve Zhang) as saying these are all run on the initiating Search Head

Does Splunk distribute individual member searches of a multisearch to available Slots on any/all available Search Heads?

search job inspector