Deployment Architecture

How do I locate the captain on a search head cluster?

Path Finder

I can't find the documentation about locating the captain, but I need to do a rolling restart. The docs mention it has to be initiated from the captain. Please advise.

Thanks, Jennifer

1 Solution

Path Finder

Path Finder

As not all instances allow for CLI access, such as Splunk Cloud, you may also query the captain from the Search GUI.

| rest /services/shcluster/status splunk_server=local
| fields captain.label


If you're trying to get the captain for programatic purposes, as I am, you can either use the API, like so:

curl -s -XGET -u "admin:${SPLUNK_PASSWORD}" \
    "https://${SPLUNK_ENDPOINT}/services/shcluster/status?output_mode=json" | \
  jq -r '.entry[0].content.captain.label'

Or if you can't install jq, you can do something like:

/opt/splunk/bin/splunk show shcluster-status -auth 'admin:${SPLUNK_PASSWORD}' | \
  grep label | head -n1 | cut -d ":" -f2 | xargs

Path Finder

The information is in docs.

splunk show shcluster-status -auth username:password

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...