When the same search is run twice in a splunk cluster, is it using a cache for the results or searching the data a second time?
A splunk search head search artifact means the results and metadata from a completed splunk search job (see: https://docs.splunk.com/Splexicon:Searchartifact)
So an artifact is a complete search which is cached for 10minutes.
In a search head cluster the search artifacts are replicated. However this takes a few seconds. What happens, if a search is run again on another search head and the artifact isnt replicated yet to that search head?
The search head captain, which streers those requests uses artifact proxying so the artifact is proxied from the search head which already has completed the search to the other search head.
Example
- 15 May 2025 11:21:01am - User1 starts the search "index=abc sourcetype=def" @04.May 2025 05:00:00am to 06:00:00am on SH1
- 15 May 2025 11:21:03am - The search "index=abc sourcetype=def" @04.May 2025 05:00:00am to 06:00:00am on SH1 is complete
- 15 May 2025 11:21:13am - User2 searches "index=abc sourcetype=def" @04.May 2025 05:00:00am to 06:00:00am on SH2
- The search head cluster captain will proxy the search artifact (search results) from SH2 to SH1, so the search mustnt run a second time
SPL query for Splunk proxied artifacts
index=_internal host IN (searchhead01*,searchhead02*,searchhead03*) sourcetype=splunkd_access uri_path="/services/search/jobs*" isProxyRequest=true | stats count by method host file
