Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

On which server should I deploy the Alerting: the search head or indexer node?

sbeamro
Explorer
‎01-05-2015 04:31 AM

Hi,
I'm running a configuration of 1 Search Head and 2 Index Nodes (one of them acts as License node).
I'd like to create real-time alerting and I was wondering what would be the best practice ?
should I deploy the searches of the alert over the search head or over the index nodes ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎01-05-2015 04:37 AM

On the Search Head. Just one simple argument: the search head is able to search both indexers if given as search peers. The indexer may only know the data on itself, not on the other indexer.

View solution in original post

Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎01-05-2015 04:37 AM

On the Search Head. Just one simple argument: the search head is able to search both indexers if given as search peers. The indexer may only know the data on itself, not on the other indexer.

Reply
Solved! Jump to solution

linu1988
Champion
‎01-05-2015 04:41 AM

Adding to that, Don't configure the script for real time alerts, it will continuously trigger the script every minute irrespective of the results found or not.

Reply
Solved! Jump to solution

sbeamro
Explorer
‎01-05-2015 04:46 AM

when you say dont configure the script - do you mean for the search proccess ?
is there any best practice guide lines ?
(for example, we have some major switch interfaces etc)

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎01-05-2015 05:49 AM

I was refering to the script which is configured for a realtime alert. I personally feel there is not much use of a realtime alert. rather schedule it to run every minute or two. It will affect the performance for sure as the CPU core will be occupied. There is no best practice available currently but you will know this by experimenting in your test environment.

0 Karma
Reply
Solved! Jump to solution

sbeamro
Explorer
‎01-05-2015 04:40 AM

Tom, thats an excellent point !

I was wondering about the question if there is any effect over the performance of the search head or of the indexers.

by the way - do I lose performance when I run real-time alerting ? if so do do I lose performance on the indexer and the search head ?

can you elaborate ?

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎01-05-2015 04:47 AM

Hey,
there is an excellent part of the documentation that covers your questions -> Link

Grettings

Tom

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...