Deployment Architecture

REST API and search head cluster



In our system, Splunk REST API does a login call to Splunk in one of the search heads and gets a token from that search head.

Later on, the load balancer changes the search head that Splunk REST API is connected to.
The service is still logged into the previous search head with the token from that search head, but it's sending this token to a different search head which still hasn't been logged into.

How can I solve this issue now that we are running with search head cluster?


Labels (2)
0 Karma

Esteemed Legend

You need to turn on sticky sessions feature on your load balancer based on session_id_PORTNUMBER cookie.

0 Karma


that means it will be sticky what happens if the instances its tied to crashes and the load balancer switches instances?
also it will always be the same session on the same splunk instance ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...