Splunk Enterprise

Splunk CLI command to list all Search Heads from Cluster Master

amyboxy
Engager

I have setup an Indexer Cluster and joined Search Heads and Peer nodes to the Cluster Master.

I am able to see all the Peers, Indexes, Search Heads from Cluster Master Web Interface (Settings -> Indexer Clustering).

But I am looking for a CLI command that will list all the Search Heads that have joined this Cluster Master.

I have tried these but none of these show Search Head Nodes information.
$ splunk list cluster-generation
$ splunk list cluster-config
$ splunk show cluster-status

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I'm not sure it you count this as a CLI, but you can try this

splunk search '(host=<your idx nodes on cluster> ((index=_internal sourcetype=splunkd_remote_searches "Streamed search search starting"))) | table server| dedup server'

Of course this needs that those SHs have made queries to this cluster.

r. Ismo 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, the indexer cluster doesn't know much about the search head cluster. If you're executing shcluster management commanda from a shcluster member, it knows that it's a shcluster member and knows where to look for captain and other info from there.

If you're calling the commands from other nodes (including CM), the splunk configuration on that node is not aware of any shclustering because it's not a part of shcluster. So you have to use the -uri option to call the proper splunk instance (a shcluster member).

0 Karma

HadrianusHon
Explorer

try ./splunk show shcluster-status --verbose

0 Karma

somesoni2
Revered Legend

You can use following endpoint to get list of search head in the indexer cluster:

https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTcluster#cluster.2Fsearchhead.2Fgenera...

You can view other endpoint starting with "cluster/searchhead" as they give different details about the cluster's search head.

0 Karma

amyboxy
Engager

Yes, I tried this REST API call from CM and it would not return anything related to Search Head Nodes. 

I can get the Search Head nodes information from Search Head nodes(captain) but still not able to get these SH nodes from Cluster Master that owns Indexer Cluster.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't have a CM with which to test this, but one of the REST API commands may give you the information you seek.

curl -k -u admin:password https://<host>:<mPort>/services/cluster/manager/info

See https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTcluster#cluster.2Fmanager.2Finfo for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma

amyboxy
Engager

Thanks for the reply but this still not giving me information on Search Heads Nodes... It is actually the XML form of CLI commands.

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...