Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Real-time alerting with search head pooling

mark
Path Finder
‎08-15-2012 09:48 PM

Hi,

We have a distributed environment with 2 search heads in a pool (for LB and HA) running v4.3.0 (upgrading shortly).
When scheduling real-time searches, both search heads start processing the events simultaneously (There is splunkd search processes running on each search head).
Then when an alert if fired, both search heads trigger the alert (for example, both search heads send an email; even with throttling enabled).

1.Is it correct that both search heads run the scheduled real-time search? What is the benefit of this, as is just seems to put undue load on the environment?

2.Is it possible to restrict this real-time searching to only occur on one or the two search heads?

Thanks,
Mark

Reply

kallu
Communicator
‎08-15-2012 10:33 PM

Sounds a bit strange. Real-time searches aren't that much different from normal searches and Splunk is taking care that only 1 search head in a pool is running each scheduled search.

1) Search heads don't distribute jobs to another search heads but their search peers (aka indexers). If your search heads are also indexers then I suppose it's normal you see some activity on both systems.

2) You can disable all scheduled searches on search head. I assume this would also disable real-time searches. See "how does search head pooling work with scheduled searches?"
This might act as work-a-round for you problem.

BTW: Are you sure you aren't sending the same data to both your indexers? Ie. how did you verified both alerts were triggered from the same SINGLE event?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...