What does status=delegated_remote OR status=delega...

ben_leung · ‎02-18-2015

If looking at scheduler log from a single search head in the search head cluster, what does status=delegated_remote OR status=delegated_remote_completion mean? Does it mean that the search that was running to the current search head move to another search peer to run and complete?

jcrabb_splunk · ‎04-16-2015

This is logged on the captain in scheduler.log when a remote job is delegated to a member and when a remote delegated job is completed on a member.

Jacob
Sr. Technical Support Engineer

BP9906 · ‎04-16-2015

How do you determine the peer the search was sent to?
I have a 2 peer SH cluster and the captain says status=delegated_remote and we received no alert. Not to mention that the other peer (not captain) is configured to be adhoc searching only. So why did the captain delegate it?

sowings · ‎06-27-2018

member_label / member_guid / member_uri from the same message. I've seen the captain report that it delegated a search to itself.

awilliams_splun · ‎02-13-2017

How do you have a two peer SHC? At least 3 Search heads are required.

ben_leung · ‎02-18-2015

I have not yet seen the scheduler skip a search yet... Wondering how the log looks like when it does skip... Anyone experience this in SHC yet?

What does status=delegated_remote OR status=delegated_remote_completion mean in the scheduler log?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?