All Apps and Add-ons

From a search head, how can we know which instance is the captain and which are members for that specific search head cluster?


How can this be viewed from Splunk Web using the S.o.S - Splunk on Splunk app in Splunk based on time?


don't know about splunk on splunk, but you can view all the information in the Distributed Management Console

Splunk Employee
Splunk Employee

First, there are no plans to add views to the S.o.S app that will provide visibility & introspection for Search Head Clustering.

The good news, however, is that the Distributed Management Console ships with Search Head Clustering dashboards as of Splunk Enterprise 6.3!

Most notably, the very first view titled "Status and Configuration" provides an overview of your Search Head Cluster(s) and will show a list of cluster members and point out the captain.

Do note that this information is not available directly from search-heads that are members of the cluster as the DMC is not supported there - you'll need to set up an instance outside of the cluster (typically, the app deployer) to be the DMC and monitor the cluster from outside.


Also the following search on a cluster member will tell you the captain

| rest splunk_server=local /services/shcluster/captain/info | rename label as Captain | fields Captain


Although on the command line on any search head, you can run

splunk show shcluster-status

which will tell you the status of the cluster and each member, including identifying the captain.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...