Hello,
We have 5 search heads in cluster and have a few (5) alerts in real-time.
I know it is better to have scheduled searches, but please understand these alerts must be in real-time.
So, according to Splunk:
> The cluster only replicates search artifacts resulting from scheduled> saved searches. It does not replicate results from these other search types:> Scheduled real-time searches> Ad hoc searches of any kind (realtime or> historical)> Instead, the cluster proxies these results, if they are requested by a non-originating search head.> They appear on the requesting member after a short delay.
Does anyone know how long is this "short delay"? and actually, this is not happening in our environment.
When these real-time alerts trigger, I cannot simply bring the result by typing `|loadjob $sid$`.
Instead, I have to log in to the originating search head to bring the job.
Does this require a different port open other than the usual 8089?
reference: http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/SHCarchitecture
↧