I've got a cluster question regarding REST calls and translation into a clustered environment. I have multiple searches with problems, but I figure I can get pointed in the right direction and be good.
On my non-clustered search head, I have a call for displaying the number of logged-in users:
| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=local |search NOT userName="splunk-system-user" searchId=""|stats dc(userName) AS count
I'm not sure how to translate this into our new clustered environment. I've seen via Google of
but this is more of a log, not a count of currently logged in