Splunk® Enterprise

Distributed Search

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Use the CLI to view information about a search head cluster

A number of CLI commands provide status information on the search head cluster.

You can also use the monitoring console to get more information about the cluster. See "Use the monitoring console to view search head cluster status and troubleshoot issues."

Show cluster status

To check the overall status of your search head cluster, run this command from any member:

splunk show shcluster-status -auth <username>:<password>

The command returns basic information on the captain and the cluster members. Key information that it provides includes:

  • (Captain section.) The dynamic_captain field indicates whether the cluster uses a dynamic captain. A value of 1 specifies a dynamic captain.
  • (Captain section.) The id field specifies the cluster GUID. This GUID is different from the GUID of any cluster members, including the captain.
  • (Captain section.) The label field specifies the cluster label. The monitoring console uses the label identifier.
  • (Each member's section.) The status field specifies the status of each member, such as up, down, detention, restarting. Some status values require clarification:
  • Detention. A cluster member enters detention when it runs out of disk space. While in detention, the captain will not assign scheduled searches or artifact copies to it. To remediate, you must increase the disk space available to the instance.
  • Down. When a member leaves the cluster, because of some failure or because you remove it from the cluster, it enters the down state.
  • Pending. This indicates that the member is attempting to rejoin the cluster. This is a transitional state. The status changes to Up when the member successfully rejoins the cluster.
  • (Each member's section.) The last_conf_replication field indicates when the member last pulled a set of configurations from the captain. See View replication status.

Show member configuration

To check the configuration of a cluster member, run this command on the member itself:

splunk list shcluster-config -auth <username>:<password>

Alternatively, you can run this variant on another member:

splunk list shcluster-config -uri <URI>:<management_port> -auth <username>:<password>

Note the following:

  • The -uri parameter specifies the URI and management port for the member whose configuration you want to check.

List cluster members

To get a list of all cluster members, run this command from any member:

splunk list shcluster-members -auth <username>:<password>

This command returns all members of the cluster, along with their configurations.

Note: The command continues to list members that have left the cluster until captaincy transfers.

List member information

To list information about a member, run this command on the member itself:

splunk list shcluster-member-info -auth <username>:<password>

Alternatively, you can run this variant on another member:

splunk list shcluster-member-info -uri <URI>:<management_port> -auth <username>:<password>

Note the following:

  • The -uri parameter specifies the URI and management port for the member whose configuration you want to know.

List search artifacts

To list the set of artifacts stored on the cluster, run this command on the captain:

splunk list shcluster-artifacts

To list the set of artifacts stored on a particular member, run this command on the member itself:

splunk list shcluster-member-artifacts

List scheduler jobs

To list the set of scheduler jobs, run this command on the captain:

splunk list shcluster-scheduler-jobs -auth <username>:<password>
Last modified on 01 February, 2017
Use the search head clustering dashboard   Use the monitoring console to view search head cluster status and troubleshoot issues

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters