I'm trying to populate a lookup table with information about my deployment clients. The only place I've found to get that information is from the deployment server itself. The following rest command returns the data I want, but it only works when I run it on the deployment server (which is not a search head peer, so doesn't have access to the same lookup tables for |outputlookup ).
If I specify "splunk_server=master" in the search, and run it on my normal search head cluster, I get no results back.
Is there a way to make the search run on my normal search heads and query against the deployment server? Or, alternatively, run on the master and write against a lookup table (kvstore, if it matters) on my search head cluster?
| rest splunk_server=local /services/deployment/server/clients
|foreach *.serverclasses [eval serverClass=mvdedup(mvappend(serverClass,'< < FIELD > >'))]
|rename hostname as sourceHost ip as sourceIp
... View more