I've got a cluster question regarding REST calls and translation into a clustered environment. I have multiple searches with problems, but I figure I can get pointed in the right direction and be good.
On my non-clustered search head, I have a call for displaying the number of logged-in users:
| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=local |search NOT userName="splunk-system-user" searchId=""|stats dc(userName) AS count
I'm not sure how to translate this into our new clustered environment. I've seen via Google of
index=_internal sourcetype=splunkd_ui_access
but this is more of a log, not a count of currently logged in
Anyone have insight?
Change the splunk_server to point toward your cluster master. Here's what I have on my dashboard:
| rest /servicesNS/-/-/authentication/httpauth-tokens splunk_server=mymaster.company.corp |search NOT userName="admin" searchId=""|stats dc(userName) AS count