Deployment Architecture

How do I locate the captain on a search head cluster?

Path Finder

I can't find the documentation about locating the captain, but I need to do a rolling restart. The docs mention it has to be initiated from the captain. Please advise.

Thanks, Jennifer

1 Solution

Path Finder

Path Finder

As not all instances allow for CLI access, such as Splunk Cloud, you may also query the captain from the Search GUI.

| rest /services/shcluster/status splunk_server=local
| fields captain.label


If you're trying to get the captain for programatic purposes, as I am, you can either use the API, like so:

curl -s -XGET -u "admin:${SPLUNK_PASSWORD}" \
    "https://${SPLUNK_ENDPOINT}/services/shcluster/status?output_mode=json" | \
  jq -r '.entry[0].content.captain.label'

Or if you can't install jq, you can do something like:

/opt/splunk/bin/splunk show shcluster-status -auth 'admin:${SPLUNK_PASSWORD}' | \
  grep label | head -n1 | cut -d ":" -f2 | xargs

Path Finder

The information is in docs.

splunk show shcluster-status -auth username:password

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...