Splunk® Enterprise

REST API Reference Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Clusters

Use the Cluster endpoints to configure and manage master and peer nodes in a cluster.

cluster/*
Access and manage clusters.


cluster/config

Allows you to configure and access nodes in a cluster.

GET cluster/config

Lists the configuration of a node in a cluster.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the cluster configuration.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
cxn_timeout Low-level timeout, in seconds, for establishing connection between cluster nodes. Defaults to 60 seconds.
disabled Indicates if this node is disabled.
forwarderdata_rcv_port The port from which to receive data from a forwarder.
forwarderdata_use_ssl Indicates whether to use SSL when receiving data from a forwarder.
heartbeat_period Only valid for peer nodes in a cluster. The time, in seconds, that a peer attempts to send a heartbeat to the master
heartbeat_timeout Only valid for the master node in a cluster configuration. The time, in seconds, before a master considers a peer down. Once a peer is down, the master initiates steps to replicate buckets from the dead peer to its live peers. Defaults to 60 seconds.
master_uri Valid only for nodes configured as a peer or searchhead.

URI of the cluster master to which this node connects.

max_peer_build_load The number of jobs that a peer can have in progress at any time that make the bucket searchable.
max_peer_rep_load Maximum number of replications that can be ongoing as a target.
mode Valid values: (master | slave | searchhead | disabled) Defaults to disabled.

Sets operational mode for this cluster node. Only one master may exist per cluster.

ping_flag For internal use to facilitate communication between the master and peers.
quiet_period The time, in seconds, that a master waits for peers to add themselves to the cluster.
rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes. Defaults to 60 seconds.
register_forwarder_address Not used.

Reserved for future use.

register_replication_address Valid only for nodes configured as peers. The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
register_search_address IP address that advertises this indexer to search heads.
rep_cxn_timeout Low-level timeout, in seconds, for establishing a connection for replicating data.
rep_max_rcv_timeout Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s.
rep_max_send_timeout Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s.
rep_rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes.
rep_send_timeout Low-level timeout, in seconds, for sending replication data between cluster nodes. Defaults to 5 seconds.
replication_factor Only valid for nodes configured as a master.

Determines how many copies of raw data are created in the cluster. This could be less than the number of cluster peers.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
restart_timeout Only valid for nodes configured as a master. The amount of time, in seconds, the master waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer). Defaults to 600 seconds.

Note: This only works if the peer is restarted from Splunk Web.

search_factor Only valid for nodes configured as a master. Determines how many searchable copies of each bucket to maintain. Must be less than or equal to replication_factor and greater than 0. Defaults to 2.
secret Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Low-level timeout, in seconds, for sending data between cluster nodes. Defaults to 60 seconds.

Example

Lists the configuration of a master node in a cluster.

curl -k -u admin:pass https://localhost:8089/services/cluster/config
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterconfig</title>
  <id>https://localhost:8089/services/cluster/config</id>
  <updated>2012-09-05T10:19:49-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/config/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>config</title>
    <id>https://localhost:8089/services/cluster/config/config</id>
    <updated>2012-09-05T10:19:49-07:00</updated>
    <link href="/services/cluster/config/config" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/config/config" rel="list"/>
    <link href="/services/cluster/config/config/_reload" rel="_reload"/>
    <link href="/services/cluster/config/config" rel="edit"/>
    <link href="/services/cluster/config/config/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cxn_timeout">60</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="forwarderdata_rcv_port">0</s:key>
        <s:key name="forwarderdata_use_ssl">1</s:key>
        <s:key name="heartbeat_period">1</s:key>
        <s:key name="heartbeat_timeout">60</s:key>
        <s:key name="master_uri"></s:key>
        <s:key name="max_peer_build_load">5</s:key>
        <s:key name="max_peer_rep_load">5</s:key>
        <s:key name="mode">master</s:key>
        <s:key name="ping_flag">1</s:key>
        <s:key name="quiet_period">60</s:key>
        <s:key name="rcv_timeout">60</s:key>
        <s:key name="register_forwarder_address"></s:key>
        <s:key name="register_replication_address"></s:key>
        <s:key name="register_search_address"></s:key>
        <s:key name="rep_cxn_timeout">5</s:key>
        <s:key name="rep_max_rcv_timeout">600</s:key>
        <s:key name="rep_max_send_timeout">600</s:key>
        <s:key name="rep_rcv_timeout">10</s:key>
        <s:key name="rep_send_timeout">5</s:key>
        <s:key name="replication_factor">2</s:key>
        <s:key name="replication_port"></s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="restart_timeout">600</s:key>
        <s:key name="search_factor">2</s:key>
        <s:key name="secret">********</s:key>
        <s:key name="send_timeout">60</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/config/{name}

GET cluster/config/{name}

Lists the configuration of a node in a cluster.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the cluster configuration.
404 The named server for cluster configuration does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
cxn_timeout Low-level timeout, in seconds, for establishing connection between cluster nodes.
disabled Indicates if this node is disabled.
eai:attributes See Accessing Splunk resources
forwarderdata_rcv_port The port from which to receive data from a forwarder.
forwarderdata_use_ssl Indicates whether to use SSL when receiving data from a forwarder.
heartbeat_period Only valid for peer nodes in a cluster. The time, in seconds, that a peer attempts to send a heartbeat to the master.
heartbeat_timeout Only valid for the master node in a cluster configuration. The time, in seconds, before a master considers a peer down. Once a peer is down, the master initiates steps to replicate buckets from the dead peer to its live peers. Defaults to 60 seconds
master_uri For nodes configured as a peer, the URI of the cluster master to which the peer connects.
max_peer_build_load The number of jobs that the peer can have in progress at any time that make the bucket searchable.
max_peer_rep_load Maximum number of replications that can be ongoing as a target.
mode Valid values: (master | slave | searchhead | disabled) Defaults to disabled.

Sets operational mode for this cluster node. Only one master may exist per cluster.

ping_flag For internal use to facilitate communication between the master and peers.
quiet_period The time, in seconds, that a master waits for peers to add themselves to the cluster configuration.
rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes. Defaults to 60 seconds.
register_forwarder_address Not used.

Reserved for future use.

register_replication_address Valid only for nodes configured as peers. The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
register_search_address IP address that advertises this indexer to search heads.
rep_cxn_timeout Low-level timeout, in seconds, for establishing a connection for replicating data. Defaults to 5 seconds.
rep_max_rcv_timeout Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s.
rep_max_send_timeout Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s.
rep_rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes.
rep_send_timeout Low-level timeout, in seconds, for sending replication data between cluster nodes. Defaults to 5 seconds.
replication_factor Only valid for nodes configured as a master.

Determines how many copies of raw data are created in the cluster. This could be less than the number of cluster peers.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
restart_timeout Only valid for nodes configured as a master. The amount of time, in seconds, the master waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer). Defaults to 600 seconds.

Note: This only works if the peer is restarted from Splunk Web.

search_factor Only valid for nodes configured as a master. Determines how many searchable copies of each bucket to maintain. Must be less than or equal to replication_factor and greater than 0. Defaults to 2.
secret Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Low-level timeout, in seconds, for sending data between cluster nodes. Defaults to 60 seconds.

Example

List the configuration for the named peer node in a cluster.

curl -k -u admin:pass https://localhost:8189/services/cluster/config/config
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterconfig</title>
  <id>https://localhost:8189/services/cluster/config</id>
  <updated>2012-09-05T09:25:51-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/config/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>config</title>
    <id>https://localhost:8189/services/cluster/config/config</id>
    <updated>2012-09-05T09:25:51-07:00</updated>
    <link href="/services/cluster/config/config" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/config/config" rel="list"/>
    <link href="/services/cluster/config/config/_reload" rel="_reload"/>
    <link href="/services/cluster/config/config" rel="edit"/>
    <link href="/services/cluster/config/config/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cxn_timeout">60</s:key>
        <s:key name="disabled">0</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>cxn_timeout</s:item>
                <s:item>forwarderdata_rcv_port</s:item>
                <s:item>forwarderdata_use_ssl</s:item>
                <s:item>heartbeat_period</s:item>
                <s:item>heartbeat_timeout</s:item>
                <s:item>master_uri</s:item>
                <s:item>quiet_period</s:item>
                <s:item>rcv_timeout</s:item>
                <s:item>register_forwarder_address</s:item>
                <s:item>register_replication_address</s:item>
                <s:item>register_search_address</s:item>
                <s:item>rep_cxn_timeout</s:item>
                <s:item>rep_max_rcv_timeout</s:item>
                <s:item>rep_max_send_timeout</s:item>
                <s:item>rep_rcv_timeout</s:item>
                <s:item>rep_send_timeout</s:item>
                <s:item>replication_factor</s:item>
                <s:item>replication_port</s:item>
                <s:item>replication_use_ssl</s:item>
                <s:item>restart_timeout</s:item>
                <s:item>search_factor</s:item>
                <s:item>secret</s:item>
                <s:item>send_timeout</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>mode</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="forwarderdata_rcv_port">0</s:key>
        <s:key name="forwarderdata_use_ssl">1</s:key>
        <s:key name="heartbeat_period">1</s:key>
        <s:key name="heartbeat_timeout">60</s:key>
        <s:key name="master_uri">https://127.0.0.1:8089</s:key>
        <s:key name="max_peer_build_load">5</s:key>
        <s:key name="max_peer_rep_load">5</s:key>
        <s:key name="mode">slave</s:key>
        <s:key name="ping_flag">1</s:key>
        <s:key name="quiet_period">60</s:key>
        <s:key name="rcv_timeout">60</s:key>
        <s:key name="register_forwarder_address"></s:key>
        <s:key name="register_replication_address"></s:key>
        <s:key name="register_search_address"></s:key>
        <s:key name="rep_cxn_timeout">5</s:key>
        <s:key name="rep_max_rcv_timeout">600</s:key>
        <s:key name="rep_max_send_timeout">600</s:key>
        <s:key name="rep_rcv_timeout">10</s:key>
        <s:key name="rep_send_timeout">5</s:key>
        <s:key name="replication_factor">3</s:key>
        <s:key name="replication_port">6666</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="restart_timeout">600</s:key>
        <s:key name="search_factor">2</s:key>
        <s:key name="secret">********</s:key>
        <s:key name="send_timeout">60</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST cluster/config/{name}

Configure or update the cluster configuration of a Splunk server.

Request

Name Type Required Default Description
cxn_timeout Number Low-level timeout, in seconds, for establishing connection between cluster nodes.

Defaults to 60 seconds.

forwarderdata_rcv_port Number The port from which to receive data from a forwarder.
forwarderdata_use_ssl Boolean Indicates whether to use SSL when receiving data from a forwarder.
heartbeat_period Number Only valid for peer nodes in a cluster. The time, in seconds, that a peer attempts to send a heartbeat to the master.
heartbeat_timeout Number Only valid for the master node in a cluster configuration.

The time, in seconds, before a master considers a peer down. Once a peer is down, the master initiates steps to replicate buckets from the dead peer to its live peers.

Defaults to 60 seconds.

master_uri String Valid only for nodes configured as a peer or searchhead.

URI of the cluster master to which this node connects.

mode Enum Valid values: (master | slave | searchhead | disabled)

Defaults to disabled.

Sets operational mode for this cluster node. Only one master may exist per cluster.

quiet_period Number Only valid for master nodes in a cluster configuration.

The time, in seconds, for which the master is quiet right after it starts. During this period the master does not initiate any action but is instead waiting for the peers to register themselves. At the end of this time period, it builds its view of the cluster based on the registered information and starts normal processing.

Defaults to 60 seconds.

rcv_timeout Number Low-level timeout, in seconds, for receiving data between cluster nodes.

Defaults to 60 seconds.

register_forwarder_address String Not used.

Reserved for future use.

register_replication_address String Valid only for nodes configured as peers.

The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance.

register_search_address String IP address that advertises this indexer to search heads.
rep_cxn_timeout Number Low-level timeout, in seconds, for establishing a connection for replicating data.

Defaults to 5 seconds.

rep_max_rcv_timeout Number Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s.

On rep_rcv_timeout a source peer determines if total receive timeout has exceeded rep_max_rcv_timeout. If so, replication fails.

rep_max_send_timeout Number Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s.

On rep_send_timeout, a source peer determines if the total send timeout has exceeded the rep_max_send_timeout. If cumulative rep_send_timeout exceeds rep_max_send_timeout, replication fails.

rep_rcv_timeout Number Low-level timeout, in seconds, for receiving data between cluster nodes.

Defaults to 60 seconds.

rep_send_timeout Number Low-level timeout, in seconds, for sending replication data between cluster nodes.

Defaults to 5 seconds.

replication_factor Number Only valid for nodes configured as a master.

Determines how many copies of raw data are created in the cluster. Set this to N, where N is how many copies of the data you want to maintain.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port Number TCP port to listen for replicated data from another cluster member.

If mode=slave is set in the [clustering] stanza, at least one replication_port must be configured and not disabled.

replication_use_ssl Boolean Indicates whether to use SSL when sending replication data.
restart_timeout Number Only valid for nodes configured as a master.

The amount of time, in seconds, the master waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer).

Defaults to 600 seconds.

Note: This only works if the peer is restarted from Splunk Web.

search_factor Number Only valid for nodes configured as a master.

Determines how many searchable copies of each bucket to maintain.

Must be less than or equal to replication_factor and greater than 0. Defaults to 2.

secret String Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster.

If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Number Low-level timeout, in seconds, for sending data between cluster nodes.

Defaults to 60 seconds.

Response Codes

Status Code Description
200 Updated successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
402 The Splunk license in use has disabled this feature.
403 Insufficient permissions to edit cluster configuration.
404 Named server does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.
503 This feature has been disabled in Splunk configuration files.

Returned Values

No values returned for this request.

Example

Change the search factor for a master node in a cluster.

curl -k -u admin:pass https://localhost:8089/services/cluster/config/config \
	-d mode=master \
	-d search_factor=3
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterconfig</title>
  <id>https://localhost:8909/services/cluster/config</id>
  <updated>2012-07-18T21:06:53-07:00</updated>
  <generator build="130979" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/config/_reload" rel="_reload"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
</feed>


cluster/master/buckets

Provides access to information about the bucket configuration for a cluster's master node.

GET cluster/master/buckets

Lists the bucket configuration for a cluster's master node.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view bucket configurations for this server.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
bucket_size Indicates the size, in bytes, of the bucket.
frozen Indicates if the bucket is frozen.
peers Lists information about buckets on peers to this master.
service_after_time Bucket service is deferred until after this time.
standalone Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this master.

Example

Lists information about the buckets for a cluster's master node.

curl -k -u admin:pass https://localhost:8089/services/cluster/master/buckets
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermasterbuckets</title>
  <id>https://localhost:8089/services/cluster/master/buckets</id>
  <updated>2012-09-05T10:25:36-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/master/buckets/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</title>
    <id>https://localhost:8089/services/cluster/master/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</id>
    <updated>2012-09-05T10:25:36-07:00</updated>
    <link href="/services/cluster/master/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="list"/>
    <link href="/services/cluster/master/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="bucket_size">1677</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="frozen">0</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
              <s:dict>
                <s:key name="bucket_flags">0xffffffffffffffff</s:key>
                <s:key name="checksum"></s:key>
                <s:key name="checksum_state">StableCksum</s:key>
                <s:key name="search_state">Searchable</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
              <s:dict>
                <s:key name="bucket_flags">0x0</s:key>
                <s:key name="checksum"></s:key>
                <s:key name="checksum_state">StableCksum</s:key>
                <s:key name="search_state">Searchable</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
        <s:key name="standalone">0</s:key>
      </s:dict>
    </content>
  </entry>
  . . .
</feed>

cluster/master/buckets/{name}

GET cluster/master/buckets/{name}

Lists the bucket configuration for a cluster's master node.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view bucket configuration for this server.
404 The named bucket does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
bucket_size Indicates the size, in bytes, of the bucket.
frozen Indicates if the bucket is frozen.
peers Lists information about buckets on peers to this master.
service_after_time Bucket service is deferred until after this time.
standalone Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this master.

Example

Lists information about the buckets for a cluster's master node.

curl -k -u admin:pass \
	https://localhost:8089/services/cluster/master/buckets/_internal~0~B8B5E5C6-DB26-4952-AFB1-C5EFEFFFEA31
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermasterbuckets</title>
  <id>https://localhost:8089/services/cluster/master/buckets</id>
  <updated>2012-09-05T10:32:35-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/master/buckets/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</title>
    <id>https://localhost:8089/services/cluster/master/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</id>
    <updated>2012-09-05T10:32:35-07:00</updated>
    <link href="/services/cluster/master/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="list"/>
    <link href="/services/cluster/master/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="bucket_size"></s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <!-- eai:aattributes nodes elided for brevity. -->
        <s:key name="frozen">0</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
              <s:dict>
                <s:key name="bucket_flags">0x0</s:key>
                <s:key name="checksum"></s:key>
                <s:key name="checksum_state">StableCksum</s:key>
                <s:key name="search_state">Searchable</s:key>
                <s:key name="status">StreamingTarget</s:key>
              </s:dict>
            </s:key>
            <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
              <s:dict>
                <s:key name="bucket_flags">0xffffffffffffffff</s:key>
                <s:key name="checksum"></s:key>
                <s:key name="checksum_state">StableCksum</s:key>
                <s:key name="search_state">Searchable</s:key>
                <s:key name="status">StreamingSource</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
        <s:key name="standalone">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/master/buckets/{bucket_id}/fix

POST cluster/master/buckets/{bucket_id}/fix

Add the specified bucket to the fix list.

  • Note: Use this endpoint with caution. It is recommended to test the endpoint prior to use on an actual bucket.

For more information, see "Bucket-fixing scenarios" in Managing Indexers and Clusters of Indexers.

Authentication and Authorization

Requires the admin role or indexes_edit capability.

Request

None

Returned values

None

Example

curl -k -u admin:changeme https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97EC71/fix -X POST
  <title>clustermasterbuckets</title>
  <id>https://localhost:8089/services/cluster/master/buckets</id>
  <updated>2015-11-04T12:23:57-08:00</updated>
  <generator build="8effae892620f7b651853d141b7b7a6b61b929c0" version="20151102"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/master/buckets/_new" rel="create"/>
  <link href="/services/cluster/master/buckets/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/master/buckets/{bucket_id}/freeze

POST cluster/master/buckets/{bucket_id}/freeze

Set the bucket state to frozen.

  • Note: Use this endpoint with caution. It is recommended to test the endpoint prior to use on an actual bucket.

For more information, see "How the cluster handles frozen buckets" in Managing Indexers and Clusters of Indexers.

Authentication and Authorization

Requires the admin role or indexes_edit capability.

Request

None

Returned values

None

Example

curl -k -u admin:pass https://localhost:8089/services/cluster/master/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97EC71/freeze -X POST
  <title>clustermasterbuckets</title>
  <id>https://locahost:8089/services/cluster/master/buckets</id>
  <updated>2015-11-04T12:21:27-08:00</updated>
  <generator build="8effae892620f7b651853d141b7b7a6b61b929c0" version="20151102"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/master/buckets/_new" rel="create"/>
  <link href="/services/cluster/master/buckets/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/master/peers

Provides access to information about a master's set of peers.

GET cluster/master/peers

List information about a master's set of peers.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view information about the peers to this master.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
active_bundle_id The ID of the configuration bundle currently being used by the master.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

buckets List of buckets for this cluster.
bundle_status Indicates the status of the cluster bundle. Valid values are:
ebundleTypeActive: Indicates that this is the bundle the peers are currently using.
ebundleTypeLatest: Indicates the most up to date bundle from the master. In steady state, it should match the active bundle. If unapplied changes have been recently made, it differs from the active bundle.
fixup_set The set of buckets that need to be fixed when a peer goes offline.

These are the buckets that were on the peer that went offline and need copies created or made searchable to satisfy the replication and search factor configured on the master. For more information, refer to What happens when a peer node goes down in the Splunk Managing Indexers and Clusters manual.

host_port_pair The host and port advertised to peers for the data replication channel.

Can be either of the form IP:port or hostname:port.

label The name for the peer that is displayed in the Splunk Manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer.
latest_bundle_id The ID of the configuration bundle this peer is using.
pending_job_count Used by the master to keep track of pending jobs requested by the master to this peer. If the number exceeds the max_peer_build_load, the master does not send a job to this peer to make a bucket searchable.
primary_count The number of buckets for which this peer is the primary. When a peer is the primary for a bucket, the peer returns the results from a search of that bucket.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
search_state_counter Lists the number of buckets on the peer for each search state for the bucket.

Possible values for search state include:

Searchable
Unsearchable
status Indicates the status of the peer.

Valid values are:

Up
Pending: Temporary state
Detention: Indicates the peer's queue is backed up.
Restarting: Temporary state
ShuttingDown:
ReassigningPrimaries: Temporary state
Decommissioning: Peer enters this state until bucket-fixing is complete before shutdown.
GracefulShutdown: Peer is shut down after after successful decommissioning
Down: Peer is offline for any reason other than through decommissioning.

For details on the status of a peer, refer to Peer details in the Managing Indexers and clusters manual.

status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized

Example

Lists information about peers to this server, which is configured as a master in a cluster configuration.

curl -k -u admin:pass https://localhost:8089/services/cluster/master/peers
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermasterpeers</title>
  <id>https://localhost:8089/services/cluster/master/peers</id>
  <updated>2012-09-05T11:02:08-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/master/peers/_new" rel="create"/>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>2AF11DD4-1424-4A14-A522-FB9D055E9516</title>
    <id>https://localhost:8089/services/cluster/master/peers/2AF11DD4-1424-4A14-A522-FB9D055E9516</id>
    <updated>2012-09-05T11:02:08-07:00</updated>
    <link href="/services/cluster/master/peers/2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/peers/2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="list"/>
    <link href="/services/cluster/master/peers/2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_bundle_id">36a883f4d47af66f78531ef474349b59</s:key>
        <s:key name="base_generation_id">2</s:key>
        <s:key name="buckets">
          <s:list>
            <s:item>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_audit~0~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
            <s:item>_audit~1~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_audit~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
            <s:item>_internal~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_internal~0~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
            <s:item>_internal~1~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
          </s:list>
        </s:key>
        <s:key name="bundle_status"></s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
        <s:key name="label">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="last_heartbeat">1346868127</s:key>
        <s:key name="latest_bundle_id">36a883f4d47af66f78531ef474349b59</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="primary_count">4</s:key>
        <s:key name="replication_port">7777</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="search_state_counter">
          <s:dict>
            <s:key name="PendingSearchable">0</s:key>
            <s:key name="Searchable">8</s:key>
            <s:key name="SearchablePendingMask">0</s:key>
            <s:key name="Unsearchable">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">4</s:key>
            <s:key name="NonStreamingTarget">0</s:key>
            <s:key name="StreamingSource">2</s:key>
            <s:key name="StreamingTarget">2</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  . . .
</feed>

cluster/master/peers/{name}

GET cluster/master/peers/{name}

List details to the named peer to this master.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view information about the named peer.
404 Named peer does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
active_bundle_id The ID of the configuration bundle currently being used by the master.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

buckets List of buckets for this peer.
bundle_status Indicates the status of the cluster bundle. Valid values are:
ebundleTypeActive: Indicates that this is the bundle the peers are currently using.
ebundleTypeLatest: Indicates the most up to date bundle from the master. In steady state, it should match the active bundle. If unapplied changes have been recently made, it differs from the active bundle.
fixup_set The set of buckets that need repair once you take the peer offline.
host_port_pair The host and port advertised to peers for the data replication channel.

Can be either of the form IP:port or hostname:port.

label The name for the peer that is displayed in the Splunk Manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer.
latest_bundle_id The ID of the configuration bundle this peer is using.
pending_job_count Used by the master to keep track of pending jobs requested by the master to this peer. If the number exceeds the max_peer_build_load, the master does not send a job to this peer to make a bucket searchable.
primary_count The number of buckets for which this peer is the primary. When a peer is the primary for a bucket, the peer returns the results from a search of that bucket.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
search_state_counter Lists the number of buckets on the peer for each search state for the bucket.

Possible values for search state include:

Searchable
Unsearchable
status Indicates the status of the peer.

Valid values are:

Up
Down
Pending
Detention
Restarting
DecommAwaitPeer
DecommFixingBuckets
Decommissioned
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized

Example

Lists information about the named Splunk server configured as a peer to this master in a cluster configuration. The peer is identified by its server ID>

curl -k -u admin:pass \
	https://localhost:8089/services/cluster/master/peers/B8B5E5C6-DB26-4952-AFB1-C5EFEFFFEA31
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermasterpeers</title>
  <id>https://localhost:8089/services/cluster/master/peers</id>
  <updated>2012-09-05T11:07:35-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/master/peers/_new" rel="create"/>
  !-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>50FCDB42-E167-458D-A6A9-E4587E8F16D9</title>
    <id>https://localhost:8089/services/cluster/master/peers/50FCDB42-E167-458D-A6A9-E4587E8F16D9</id>
    <updated>2012-09-05T11:07:35-07:00</updated>
    <link href="/services/cluster/master/peers/50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/peers/50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="list"/>
    <link href="/services/cluster/master/peers/50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_bundle_id">36a883f4d47af66f78531ef474349b59</s:key>
        <s:key name="base_generation_id">2</s:key>
        <s:key name="buckets">
          <s:list>
            <s:item>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_audit~0~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
            <s:item>_audit~1~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_audit~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
            <s:item>_internal~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_internal~0~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
            <s:item>_internal~1~2AF11DD4-1424-4A14-A522-FB9D055E9516</s:item>
            <s:item>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</s:item>
          </s:list>
        </s:key>
        <s:key name="bundle_status"></s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <!-- eai:attributes nodes elided for brevity. -->
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
        <s:key name="label">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="last_heartbeat">1346868455</s:key>
        <s:key name="latest_bundle_id">36a883f4d47af66f78531ef474349b59</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="primary_count">4</s:key>
        <s:key name="replication_port">6666</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="search_state_counter">
          <s:dict>
            <s:key name="PendingSearchable">0</s:key>
            <s:key name="Searchable">8</s:key>
            <s:key name="SearchablePendingMask">0</s:key>
            <s:key name="Unsearchable">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">4</s:key>
            <s:key name="NonStreamingTarget">0</s:key>
            <s:key name="StreamingSource">2</s:key>
            <s:key name="StreamingTarget">2</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>


cluster/master/generation

Provide access to information about the current generation for a master in a cluster.

GET cluster/master/generation

Lists information about the peer nodes participating in the current generation for this master.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the generation information for the master.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
generation_id The ID for the current generation for this master.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the master when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.

Example

List information about the current generation for a cluster's master node.

curl -k -u admin:pass https://localhost:8089/services/cluster/master/generation
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermastergeneration</title>
  <id>https://localhost:8089/services/cluster/master/generation</id>
  <updated>2012-09-05T10:39:54-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>master</title>
    <id>https://localhost:8089/services/cluster/master/generation/master</id>
    <updated>2012-09-05T10:39:54-07:00</updated>
    <link href="/services/cluster/master/generation/master" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/generation/master" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="generation_id">2</s:key>
        <s:key name="generation_peers">
          <s:dict>
            <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
              <s:dict>
                <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
                <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
              </s:dict>
            </s:key>
            <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
              <s:dict>
                <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
                <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="pending_generation_id">3</s:key>
        <s:key name="pending_last_attempt">0</s:key>
        <s:key name="pending_last_reason"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/master/generation/{name}

GET cluster/master/generation/{name}

Lists information about the peer nodes participating in the current generation for this master.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the generation information for the named master.
404 The generation for the named master does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
generation_id The ID of the current generation for this master.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the master when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.

Example

List information about the current generation for a cluster's master node.


curl -k -u admin:pass https://localhost:8089/services/cluster/master/generation/master
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermastergeneration</title>
  <id>https://localhost:8089/services/cluster/master/generation</id>
  <updated>2012-09-05T10:45:27-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>master</title>
    <id>https://localhost:8089/services/cluster/master/generation/master</id>
    <updated>2012-09-05T10:45:27-07:00</updated>
    <link href="/services/cluster/master/generation/master" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/generation/master" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <!-- eai:attributes nodes elided for brevity. -->
        <s:key name="generation_id">2</s:key>
        <s:key name="generation_peers">
          <s:dict>
            <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
              <s:dict>
                <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
                <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
              </s:dict>
            </s:key>
            <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
              <s:dict>
                <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
                <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="pending_generation_id">3</s:key>
        <s:key name="pending_last_attempt">0</s:key>
        <s:key name="pending_last_reason"></s:key>
      </s:dict>
    </content>
  </entry>
</feed>


cluster/master/info

Access details about a master node in a cluster.

GET cluster/master/info

Lists details about the master node in a cluster.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view details about the Splunk server configured as a master.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
active_bundle Provides information about the active bundle for this master.
buckets_to_fix Indicates the number of buckets to fix when a peer goes offline.

These are the buckets that were on the peer that went offline and need copies created or made searchable to satisfy the replication and search factor configured on the master. For more information, refer to What happens when a peer node goes down in the Splunk Managing Indexers and Clusters manual.

indexing_ready_flag Indicates if the cluster is ready for indexing.
initialized_flag Indicates if the cluster has been initialized.
label The name for the master that is displayed in the Splunk Manager page.
latest_bundle The most recent information reflecting any changes made to the master-apps configuration bundle.

In steady state, this is equal to active_bundle. If it is not equal, then pushing the latest bundle to all peers is in process (or needs to be started).

rolling_restart_flag Indicates whether the master is restarting the peers in a cluster.
start_time Timestamp corresponding to the creation of the master.

Example

Lists details about the master node in a cluster.

curl -k -u admin:pass https://localhost:8089/services/cluster/master/info
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermasterinfo</title>
  <id>https://localhost:8089/services/cluster/master/info</id>
  <updated>2012-09-05T10:53:10-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>master</title>
    <id>https://localhost:8089/services/cluster/master/info/master</id>
    <updated>2012-09-05T10:53:10-07:00</updated>
    <link href="/services/cluster/master/info/master" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/info/master" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk/var/run/splunk/cluster/remote-bundle/4d8f6017a5b4a4e48d461e5000ae3a04-1346858804.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858804</s:key>
          </s:dict>
        </s:key>
        <s:key name="buckets_to_fix"/>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="indexing_ready_flag">1</s:key>
        <s:key name="initialized_flag">1</s:key>
        <s:key name="label">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="latest_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk/var/run/splunk/cluster/remote-bundle/4d8f6017a5b4a4e48d461e5000ae3a04-1346858804.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858804</s:key>
          </s:dict>
        </s:key>
        <s:key name="rolling_restart_flag">0</s:key>
        <s:key name="start_time">1346858804</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/master/info/{name}

GET cluster/master/info/{name}

Lists details about the named Splunk server configured as a master in a cluster configuration.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view information about the Splunk server.
404 Specified master configuration does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
active_bundle Provides information about the active bundle for this master.
buckets_to_fix Indicates the number of buckets to fix when a peer goes offline.

These are the buckets that were on the peer that went offline and need copies created or made searchable to satisfy the replication and search factor configured on the master. For more information, refer to What happens when a peer node goes down in the Splunk Managing Indexers and Clusters manual.

indexing_ready_flag Indicates if the cluster is ready for indexing.
initialized_flag Indicates if the cluster has been initialized.
label The name for the master that is displayed in the Splunk Manager page.
latest_bundle The most recent information reflecting any changes made to the master-apps configuration bundle.

In steady state, this is equal to active_bundle. If it is not equal, then pushing the latest bundle to all peers is in process (or needs to be started).

rolling_restart_flag Indicates whether the master is restarting the peers in a cluster.
start_time Timestamp corresponding to the creation of the master.

Example

Lists details about the master node in a cluster.

curl -k -u admin:pass https://localhost:8089/services/cluster/master/info/master
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermasterinfo</title>
  <id>https://localhost:8089/services/cluster/master/info</id>
  <updated>2012-09-05T10:57:34-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>master</title>
    <id>https://localhost:8089/services/cluster/master/info/master</id>
    <updated>2012-09-05T10:57:34-07:00</updated>
    <link href="/services/cluster/master/info/master" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/master/info/master" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk/var/run/splunk/cluster/remote-bundle/4d8f6017a5b4a4e48d461e5000ae3a04-1346858804.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858804</s:key>
          </s:dict>
        </s:key>
        <s:key name="buckets_to_fix"/>
        <!-- eai:acl nodes elided for brevity. -->
        <!-- eai:attributes nodes elided for brevity. -->
        <s:key name="indexing_ready_flag">1</s:key>
        <s:key name="initialized_flag">1</s:key>
        <s:key name="label">splunks-ombra.sv.splunk.com</s:key>
        <s:key name="latest_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk/var/run/splunk/cluster/remote-bundle/4d8f6017a5b4a4e48d461e5000ae3a04-1346858804.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858804</s:key>
          </s:dict>
        </s:key>
        <s:key name="rolling_restart_flag">0</s:key>
        <s:key name="start_time">1346858804</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


cluster/searchhead/generation

Access the peers available to a searchhead in a cluster.

GET cluster/searchhead/generation

List the peers available to a searchhead in a cluster.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view peers to this searchhead.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
generation_id The current generation ID for this searchhead, which is part of a cluster configuration.

The search head uses this information to determine which buckets to search across.

generation_peers List of peer nodes for the current generation in the cluster configuration for this searchhead.

Example

Lists the peers available to the searchhead.

curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustersearchheadgeneration</title>
  <id>https://localhost:8089/services/cluster/searchhead/generation</id>
  <updated>2012-09-05T11:13:45-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>master</title>
    <id>https://localhost:8089/services/cluster/searchhead/generation/master</id>
    <updated>2012-09-05T11:13:45-07:00</updated>
    <link href="/services/cluster/searchhead/generation/master" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/searchhead/generation/master" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="generation_id">2</s:key>
        <s:key name="generation_peers">
          <s:dict>
            <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
              <s:dict>
                <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
                <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
              </s:dict>
            </s:key>
            <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
              <s:dict>
                <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
                <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/searchhead/generation/{name}

GET cluster/searchhead/generation/{name}

Lists the peers available to this searchhead from the specified master.

To specify the named master, provide the URI-encoded URI to the master.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the named peer to the searchhead.
404 The named peer to the searchhead does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
generation_id The current generation ID for this searchhead, which is part of a cluster configuration.

The search head uses this information to determine which buckets to search across.

generation_peers List of peer nodes for the current generation in the cluster configuration for this searchhead.

Example

Lists details about a master node to a searchhead configured as a searchhead in multiple custers.

Note: The named master node is the URI-encoded URI of the master.

curl -k -u admin:pass \
	https://localhost:8089/services/cluster/searchhead/generation/https%3A%252F%252Fvgenovese-mbp15.sv.splunk.com%3A8989
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustersearchheadgeneration</title>
  <id>https://localhost:53791/services/cluster/searchhead/generation</id>
  <updated>2012-09-07T14:11:59-07:00</updated>
  <generator build="136859" version="20120906"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>https://ronnie.splunk.com:53112</title>
    <id>https://localhost:53791/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112</id>
    <updated>2012-09-07T14:11:59-07:00</updated>
    <link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <!-- eai:acl nodes elided for brevity. -->
        <!-- eai:attributes nodes elided for brevity. -->
        <s:key name="generation_id">3</s:key>
        <s:key name="generation_peers">
          <s:dict>
            <s:key name="33333333-3333-3333-3333-333333333333">
              <s:dict>
                <s:key name="host_port_pair">10.1.42.3:53309</s:key>
                <s:key name="peer">peer3</s:key>
              </s:dict>
            </s:key>
            <s:key name="44444444-4444-4444-4444-444444444444">
              <s:dict>
                <s:key name="host_port_pair">10.1.42.3:53411</s:key>
                <s:key name="peer">peer4</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>


cluster/slave/buckets

Provides access to the bucket configuration for peers in a cluster.

GET cluster/slave/buckets

List the configuration for buckets for a peer in a cluster.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
generation_id String The generation ID for this peer.

For each generation, the master server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search.

offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view bucket configuration for this peer.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
checksum Used internally to identify this bucket.
earliest_time Indicates the time of the earliest event in this bucket.
generation_id The generation ID for this peer.
generations A sparse list of generation id to bucket primacy for the given peer.
latest_time Indicates the time for the latest event in this bucket.
search_state Indicates if the bucket is searchable.

Possible values:

Searchable
Unsearchable
status Indicates the status of this bucket.

Possible values for bucket status:

Complete: Copy of this (warm/cold) bucket contains the full complement of information
StreamingSource: The copy of this hot bucket is sending data to peer nodes for replication
StreamingTarget: The copy of this hot bucket is receiving replicated data.
NonStreamingTarget: This copy of a (warm/cold) bucket replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError: the copy of this bucket encountered errors while streaming data.
PendingTruncate: The master asked the peer to truncate this copy of the bucket to a certain size and is waiting for confirmation.
PendingDiscard: The master asked the peer to discard this copy of the bucket (for whatever reason), and is waiting for confirmation.
Standalone: A bucket in the cluster that is not replicated.
Unset: uninitialized

Example

List the configuration for buckets in a peer node of a cluster.

curl -k -u admin:pass https://localhost:8189/services/cluster/slave/buckets
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterslavebuckets</title>
  <id>https://localhost:8189/services/cluster/slave/buckets</id>
  <updated>2012-09-05T12:29:42-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</title>
    <id>https://localhost:8189/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</id>
    <updated>2012-09-05T12:29:42-07:00</updated>
    <link href="/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="checksum"></s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="earliest_time">1346859162</s:key>
        <s:key name="generations">
          <s:dict>
            <s:key name="0">0x0</s:key>
          </s:dict>
        </s:key>
        <s:key name="latest_time">1346859257</s:key>
        <s:key name="search_state">Searchable</s:key>
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  . . .
</feed>

cluster/slave/buckets/{name}

GET cluster/slave/buckets/{name}

List details of the specified bucket, which is on a peer in a cluster.

Request

Name Type Required Default Description
generation_id String The generation ID for this peer.

For each generation, the master server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view bucket configuration for this peer.
404 Specified bucket does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
checksum Used internally to identify this bucket.
eai:attributes See Accessing Splunk resources
earliest_time Indicates the time of the earliest event in this bucket.
generation_id The generation ID for this peer.
generations A sparse list of generation id to bucket primacy for the given peer.
latest_time Indicates the time for the latest event in this bucket.
search_state Indicates if the bucket is searchable.

Possible values:

Searchable
Unsearchable
status Indicates the status of this bucket.

Possible values:

Complete: Copy of this bucket contains the full complement of information
StreamingSource: The copy of this bucket is sending data to peer nodes for replication
StreamingTarget: The copy of this bucket is receiving replicated data.
NonStreamingTarget: This copy of a warm bucket replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError: the copy of this bucket encountered errors while streaming data.
PendingTruncate: The master asked the peer to truncate this copy of the bucket to a certain size and is waiting for confirmation.
PendingDiscard: The master asked the peer to discard this copy of the bucket (for whatever reason, and is waiting for confirmation.
Standalone: A bucket in the cluster that is not replicated.

Example

List details of the named bucket, which is on a peer in a cluster.

curl -k -u admin:pass \
	https://localhost:8189/services/cluster/slave/buckets/_audit~0~B8B5E5C6-DB26-4952-AFB1-C5EFEFFFEA31
<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterslavebuckets</title>
  <id>https://localhost:8189/services/cluster/slave/buckets</id>
  <updated>2012-09-05T12:40:43-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</title>
    <id>https://localhost:8189/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</id>
    <updated>2012-09-05T12:40:43-07:00</updated>
    <link href="/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="checksum"></s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="earliest_time">0</s:key>
        <s:key name="generations">
          <s:dict>
            <s:key name="0">0xffffffffffffffff</s:key>
          </s:dict>
        </s:key>
        <s:key name="latest_time">0</s:key>
        <s:key name="search_state">Searchable</s:key>
        <s:key name="status">StreamingSource</s:key>
      </s:dict>
    </content>
  </entry>
</feed>


cluster/slave/info

Provides access to information about peer nodes in a cluster.

GET cluster/slave/info

List information about a peer node in a cluster.

Request

Name Type Required Default Description
count Number 30 Indicates the maximum number of entries to return. To return all entries, specify -1.
offset Number 0 Index for first item to return.
search String Search expression to filter the response. The response matches field values against the search expression. For example:

search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example.

sort_dir Enum asc Valid values: (asc | desc)

Indicates whether to sort returned entries in ascending or descending order.

sort_key String name Field to use for sorting.
sort_mode Enum auto Valid values: (auto | alpha | alpha_case | num)

Indicates the collating sequence for sorting the returned entries. auto: If all values of the field are numbers, collate numerically. Otherwise, collate alphabetically. alpha: Collate alphabetically. alpha_case: Collate alphabetically, case-sensitive. num: Collate numerically.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view information about the Splunk server.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
active_bundle Current bundle being used by this peer.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

invalid_bundle_ids List of bundle ids which had validation errors in the peer.
is_registered Indicates if this peer is registered with the master in the cluster.
last_heartbeat_attempt Timestamp for the last attempt to contact the master.
latest_bundle Lists information about the most recent bundle downloaded from the master.
restart_state Indicates whether the peer needs to be restarted to enable its cluster configuration.
status Indicates the status of the peer.

Possible values:

Up
Down
Pending
Detention
Restarting
DecommAvaitingPeer
DecommFixingBuckets
Decommissioned

Example

Lists information about a peer node in a cluster.

curl -k -u admin:pass https://localhost:8189/services/cluster/slave/info

<feed xmlns="http://www.w3.org/2005/Atom"
      xmlns:s="http://dev.splunk.com/ns/rest"
      xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterslaveinfo</title>
  <id>https://localhost:8189/services/cluster/slave/info</id>
  <updated>2012-09-05T12:45:59-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>slave</title>
    <id>https://localhost:8189/services/cluster/slave/info/slave</id>
    <updated>2012-09-05T12:45:59-07:00</updated>
    <link href="/services/cluster/slave/info/slave" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/slave/info/slave" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858928</s:key>
          </s:dict>
        </s:key>
        <s:key name="base_generation_id">2</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <s:key name="invalid_bundle_ids">
          <s:list/>
        </s:key>
        <s:key name="is_registered">1</s:key>
        <s:key name="last_heartbeat_attempt">1346874358</s:key>
        <s:key name="latest_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858928</s:key>
          </s:dict>
        </s:key>
        <s:key name="restart_state">NoRestart</s:key>
        <s:key name="status">Up</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/slave/info/{name}

GET cluster/slave/info/{name}

List information about the named peer in a cluster.

Request

No parameters for this request.

Response Codes

Status Code Description
200 Listed successfully.
400 Request error. See response body for details.
401 Authentication failure: must pass valid credentials with request.
403 Insufficient permissions to view the named Splunk server.
404 The named peer does not exist.
409 Request error: this operation is invalid for this item. See response body for details.
500 Internal server error. See response body for details.

Returned Values

Attribute Description
active_bundle Current bundle being used by this peer.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master.

invalid_bundle_ids List of bundle ids which had validation errors in the peer.
is_registered "Indicates if this peer is registered with the master in the cluster.
last_heartbeat_attempt Timestamp for the last attempt to contact the master.
latest_bundle Lists information about the most recent bundle downloaded from the master.
restart_state Indicates whether the peer needs to be restarted to enable its cluster configuration.
status Indicates the status of the peer.

Possible values:

Up
Down
Pending
Detention
Restarting
DecommAvaitingPeer
DecommFixingBuckets
Decommissioned

Example

Lists information about named peer in a cluster.

curl -k -u admin:pass https://localhost:8189/services/cluster/slave/info/slave
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusterslaveinfo</title>
  <id>https://localhost:8189/services/cluster/slave/info</id>
  <updated>2012-09-05T12:50:11-07:00</updated>
  <generator build="136169" version="5.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <!-- opensearch nodes elided for brevity. -->
  <s:messages/>
  <entry>
    <title>slave</title>
    <id>https://localhost:8189/services/cluster/slave/info/slave</id>
    <updated>2012-09-05T12:50:11-07:00</updated>
    <link href="/services/cluster/slave/info/slave" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/slave/info/slave" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858928</s:key>
          </s:dict>
        </s:key>
        <s:key name="base_generation_id">2</s:key>
        <!-- eai:acl nodes elided for brevity. -->
        <!-- eai:attributes nodes elided for brevity. -->
        <s:key name="invalid_bundle_ids">
          <s:list/>
        </s:key>
        <s:key name="is_registered">1</s:key>
        <s:key name="last_heartbeat_attempt">1346874610</s:key>
        <s:key name="latest_bundle">
          <s:dict>
            <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
            <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
            <s:key name="timestamp">1346858928</s:key>
          </s:dict>
        </s:key>
        <s:key name="restart_state">NoRestart</s:key>
        <s:key name="status">Up</s:key>
      </s:dict>
    </content>
  </entry>
</feed>
PREVIOUS
Applications
  NEXT
Configurations

This documentation applies to the following versions of Splunk® Enterprise: 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters