Use distributed search
From the user standpoint, specifying and running a distributed search is essentially the same as running any other search. Behind the scenes, the search head distributes the query to its search peers and consolidates the results when presenting them to the user.
Users can limit the search peers that participate in a search. They also need to be aware of the distributed search configuration to troubleshoot.
Perform distributed searches
In general, you specify a distributed search through the same set of commands as for a local search. However, Splunk provides several additional commands and options to assist with controlling and limiting a distributed search.
A search head by default runs its searches across all search peers in its cluster. You can limit a search to one or more search peers by specifying the
splunk_server field in your query. See "Retrieve events from indexes and distributed search peers" in the Search manual.
The search command
localop is also of use in defining distributed searches. It enables you to limit the execution of subsequent commands to the search head. See the description of localop in the Search Reference for details and an example.
In addition, the
lookup command provides a
local argument for use with distributed searches. If set to
true, the lookup occurs only on the search head; if
false, the lookup occurs on the search peers as well. This is particularly useful for scripted lookups, which replicate lookup tables. See the description of lookup in the Search Reference for details and an example.
How authorization works in distributed searches
Troubleshoot distributed search and search head pooling
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18