Splunk® Enterprise

REST API Reference Manual

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Cluster endpoint descriptions

Manage indexer clusters and search head clusters in Splunk Enterprise.

To distinguish indexer cluster endpoints from search cluster endpoints, note:

The values manager and peer replace the prior values of master and slave. The prior values are currently still supported, but they will be removed from the product in a future release.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints. Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls and click Users. To determine the capabilities assigned to a role, select Settings > Access controls and click Roles.

App and user context

Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.

Splunk Cloud Platform limitations

As a Splunk Cloud Platform user, you are restricted to interacting with the search tier only with the REST API. Cluster endpoints are generally not accessible in Splunk Cloud Platform.

Authorized users can access and configure other indexer cluster nodes, including indexer or cluster manager, or license manager nodes, in the Splunk Cloud Platform manager user interface.

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


Indexer cluster endpoints

The endpoints in this section pertain to indexer clusters.

All endpoints that contain cluster in their URIs pertain to indexer clusters. In this section, if a URI contains the term search head, it refers to search head nodes in the indexer cluster. The term peer node refers to peer nodes in the indexer cluster. For more information about indexer cluster architecture, see The basics of indexer cluster architecture and Search head configuration overview in the Managing Indexers and Clusters of Indexers manual.

cluster/config

https://<host>:<mPort>/services/cluster/config

Access cluster node configuration details.


GET

List cluster node configuration.

Request parameters

Pagination and filtering parameters can be used with this method.

Returned values

Name Description
cxn_timeout Low-level timeout, in seconds, for establishing connection between cluster nodes. Defaults to 60 seconds.
disabled Indicates if this node is disabled.
forwarderdata_rcv_port The port from which to receive data from a forwarder.
forwarderdata_use_ssl Indicates whether to use SSL when receiving data from a forwarder.
heartbeat_period Only valid for peer nodes in a cluster. The time, in seconds, that a peer attempts to send a heartbeat to the manager
heartbeat_timeout Only valid for the manager node in a cluster configuration. The time, in seconds, before a manager considers a peer down. Once a peer is down, the manager initiates steps to replicate buckets from the dead peer to its live peers. Defaults to 60 seconds.
manager_uri Valid only for nodes configured as a peer or searchhead.

URI of the cluster manager to which this node connects.

max_peer_build_load The number of jobs that a peer can have in progress at any time that make the bucket searchable.
max_peer_rep_load Maximum number of replications that can be ongoing as a target.
mode Valid values: (manager | peer | searchhead | disabled) Defaults to disabled.

Sets operational mode for this cluster node. Only one manager may exist per cluster.

ping_flag For internal use to facilitate communication between the manager and peers.
quiet_period The time, in seconds, that a manager waits for peers to add themselves to the cluster.
rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes. Defaults to 60 seconds.
register_forwarder_address Not used.

Reserved for future use.

register_replication_address Valid only for nodes configured as peers. The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
register_search_address IP address that advertises this indexer to search heads.
rep_cxn_timeout Low-level timeout, in seconds, for establishing a connection for replicating data.
rep_max_rcv_timeout Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s.
rep_max_send_timeout Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s.
rep_rcv_timeout Low-level timeout, in seconds, for receiving data between cluster nodes.
rep_send_timeout Low-level timeout, in seconds, for sending replication data between cluster nodes. Defaults to 5 seconds.
replication_factor Only valid for nodes configured as a manager.

Determines how many copies of raw data are created in the cluster. This could be less than the number of cluster peers.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
restart_timeout Only valid for nodes configured as a manager. The amount of time, in seconds, the manager waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer). Defaults to 600 seconds.

Note: This only works if the peer is restarted from Splunk Web.

search_factor Only valid for nodes configured as a manager. Determines how many searchable copies of each bucket to maintain. Must be less than or equal to replication_factor and greater than 0. Defaults to 2.
secret Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the manager, it is not able to communicate with the manager.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Low-level timeout, in seconds, for sending data between cluster nodes. Defaults to 60 seconds.
summary_replication Boolean indicator of whether summary replication is on or off. A true value means that it is turned on.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/config

XML Response

<title>clusterconfig</title>
 <id>https://localhost:8089/services/cluster/config</id>
 <updated>2012-09-05T10:19:49-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/config/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>config</title>
   <id>https://localhost:8089/services/cluster/config/config</id>
   <updated>2012-09-05T10:19:49-07:00</updated>
   <link href="/services/cluster/config/config" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/config/config" rel="list"/>
   <link href="/services/cluster/config/config/_reload" rel="_reload"/>
   <link href="/services/cluster/config/config" rel="edit"/>
   <link href="/services/cluster/config/config/disable" rel="disable"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="cxn_timeout">60</s:key>
       <s:key name="disabled">0</s:key>
       ... eai:acl node elided ...
       <s:key name="forwarderdata_rcv_port">0</s:key>
       <s:key name="forwarderdata_use_ssl">1</s:key>
       <s:key name="heartbeat_period">1</s:key>
       <s:key name="heartbeat_timeout">60</s:key>
       <s:key name="manager_uri"></s:key>
       <s:key name="max_peer_build_load">5</s:key>
       <s:key name="max_peer_rep_load">5</s:key>
       <s:key name="mode">manager</s:key>
       <s:key name="ping_flag">1</s:key>
       <s:key name="quiet_period">60</s:key>
       <s:key name="rcv_timeout">60</s:key>
       <s:key name="register_forwarder_address"></s:key>
       <s:key name="register_replication_address"></s:key>
       <s:key name="register_search_address"></s:key>
       <s:key name="rep_cxn_timeout">5</s:key>
       <s:key name="rep_max_rcv_timeout">600</s:key>
       <s:key name="rep_max_send_timeout">600</s:key>
       <s:key name="rep_rcv_timeout">10</s:key>
       <s:key name="rep_send_timeout">5</s:key>
       <s:key name="replication_factor">2</s:key>
       <s:key name="replication_port"></s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="restart_timeout">600</s:key>
       <s:key name="search_factor">2</s:key>
       <s:key name="secret">********</s:key>
       <s:key name="send_timeout">60</s:key>
     </s:dict>
   </content>
 </entry>

cluster/config/config

https://<host>:<mPort>/services/cluster/config/config

Manage cluster node configuration details.


GET

List cluster node configuration.

This operation works identically to the GET on cluster/config.


POST

Manage configuration details.


See Indexer cluster configuration overview in Managing Indexers and Clusters of Indexers and the [clustering] stanza options in the server.conf spec file for more details on indexer cluster configuration.

Request parameters

Name Datatype Description
available_sites N/A Sets the various sites that are recognized for this manager. Valid values include site1 to site64.
cluster_label String Label for this cluster.
cxn_timeout Number Low-level timeout, in seconds, for establishing connection between cluster nodes. Defaults to 60 seconds.
heartbeat_period Number Only valid for peer nodes in a cluster. Time, in seconds, that a peer attempts to send a heartbeat to the manager
heartbeat_timeout Number Only valid for the manager node in a cluster configuration. Time, in seconds, before a manager considers a peer down. Once a peer is down, the manager initiates steps to replicate buckets from the dead peer to its live peers. Defaults to 60 seconds.
manager_uri URI Valid only for nodes configured as a peer or searchhead. URI of the cluster manager to which this node connects.
max_peer_build_load Number The number of jobs that a peer can have in progress at any time that make the bucket searchable.
max_peer_rep_load Number Maximum number of replications that can be ongoing as a target.
mode See description. Required. Valid values: (manager | peer | searchhead | disabled) Defaults to disabled. Sets operational mode for this cluster node. Only one manager may exist per cluster.
multisite Boolean Enable or disable the multisite feature for this cluster.
notify_scan_period Non-zero number Controls the frequency that the indexer scans summary folders for summary updates. Only used when summary_replication is enabled on the manager. Defaults to 10 seconds.
ping_flag N/A For internal use to facilitate communication between the manager and peers.
quiet_period Number The time, in seconds, that a manager waits for peers to add themselves to the cluster.
rcv_timeout Number Low-level timeout, in seconds, for receiving data between cluster nodes. Defaults to 60 seconds.
register_forwarder_address N/A Reserved for future use.
register_replication_address See description. Valid only for nodes configured as peers. The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
register_search_address N/A IP address that advertises this indexer to search heads.
rep_cxn_timeout Number Low-level timeout, in seconds, for establishing a connection for replicating data.
rep_max_rcv_timeout Number Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s.
rep_max_send_timeout Number Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s.
rep_rcv_timeout Number Low-level timeout, in seconds, for receiving data between cluster nodes.
rep_send_timeout Number Low-level timeout, in seconds, for sending replication data between cluster nodes. Defaults to 5 seconds.
replication_factor Number Only valid for nodes configured as a manager. Determines how many copies of raw data are created in the cluster. This could be less than the number of cluster peers. Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.
replication_port Number TCP port to listen for replicated data from another cluster member.
replication_use_ssl Number Indicates whether to use SSL when sending replication data.
restart_timeout Number Only valid for nodes configured as a manager. The amount of time, in seconds, the manager waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer). Defaults to 600 seconds.

Note: This only works if the peer is restarted from Splunk Web.

search_factor Number Only valid for nodes configured as a manager. Determines how many searchable copies of each bucket to maintain. Must be less than or equal to replication_factor and greater than 0. Defaults to 2.
secret N/A Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the manager, it is not able to communicate with the manager. Corresponds to pass4SymmKey setting in server.conf.
send_timeout Number Low-level timeout, in seconds, for sending data between cluster nodes. Defaults to 60 seconds.
site N/A Site ID for peer/searchhead indexer. Valid values include site1 to site64.
site_replication_factor Number Replication factor for a multisite configuration.
site_search_factor Number Search factor for a multisite configuration.
summary_replication Boolean Enable or disable summary replication.
use_batch_mask_changes Boolean Only valid for mode=manager .Specifies if the manager should process bucket mask changes in

batch or inidividually one by one. Defaults to true. Set to false when there are 6.1 peers in the cluster for backwards compatibility.

Response data keys

None.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/config/config -d cxn_timeout=59

XML Response

  <title>clusterconfig</title>
  <id>https://localhost:8089/services/cluster/config</id>
  <updated>2015-12-07T17:09:48-08:00</updated>
  <generator build="917abedc8bb44ec1c225a6eb730808a606174cf0" version="20151123"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/config/_reload" rel="_reload"/>
  <link href="/services/cluster/config/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/buckets

https://<host>:<mPort>/services/cluster/manager/buckets

Provides bucket configuration information for a cluster manager node.


GET

List cluster manager node bucket configuration.


Request parameters
Use an &summaries=true field in the query string to show summaries.

Use one or more filters in the query string to select buckets or bucket states. For example, use this URL to filter buckets returned for both the main index and StreamingSource status.

https://localhost:8089/services/cluster/manager/buckets?filter=index=main&filter=status=StreamingSource

See the following table for available filters.

Filter name Datatype Description
index String Index name.
status String Bucket state. Available options are
  • StreamingSource
  • StreamingTarget
  • Complete
  • StreamingError
  • PendingTruncate Bucket is scheduled to truncate.
  • PendingDiscard Bucket is scheduled to discard.
  • NonStreamingTarget
search_state String Bucket search state. Available options are
  • Searchable
  • Unsearchable
  • PendingSearchable Bucket scheduled to become searchable by transferring or building tsidx files.
  • PendingUnsearchable Bucket is scheduled to become unsearchable.
  • SearchablePendingMask Primary change is scheduled or in progress.
replication_count Number Use <, >, != or = with numbers to indicate filtering values.
search_count Number Use <, >, != or = with numbers to indicate filtering values.
bucket_size Number Use <, >, != or = with numbers to indicate filtering values.
frozen Boolean
true | false
Return frozen buckets or non-frozen buckets.
has_primary Boolean
true | false
Return buckets with primaries or without primaries.
meets_multisite_replication_count Boolean
true | false
Return buckets that meet cluster replication policy or buckets that do not meet cluster replication policy.
meets_multisite_search_count Boolean
true | false
Return buckets that meet cluster search policy or buckets that do not meet cluster search policy.
multisite_bucket Boolean
true | false
Return buckets created in multisite mode or buckets not created in multisite mode.
origin_site String Site of the indexer where buckets were created.
standalone Boolean
true | false
Use true or 1 to return standalone buckets. Use false or 0 to return clustered buckets.

Pagination and filtering parameters can be used with this method.

Returned values

Name Description
bucket_size Indicates the size, in bytes, of the bucket.
constrain_to_origin_site Flag indicating this particular bucket is a clustered pre-multisite bucket. Such buckets are replicated only within their origin site.
frozen Indicates if the bucket is frozen.
index Name of the index to which the bucket belongs.
origin_site Where the bucket originated.
peers Lists information about buckets on peers to this manager.
primaries_by_site Primary peer (GIUD).
rep_count_by_site Number of buckets.
search_count_by_site Number of searchable buckets.
service_after_time Bucket service is deferred until after this time.
standalone Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this manager.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/buckets


XML Response

<title>clustermanagerbuckets</title>
 <id>https://localhost:8089/services/cluster/manager/buckets</id>
 <updated>2014-04-17T19:13:57+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/manager/buckets/_new" rel="create"/>
 <opensearch:totalResults>24</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
   <id>https://localhost:8089/services/cluster/manager/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
   <updated>2014-04-17T19:13:57+00:00</updated>
   <link href="/services/cluster/manager/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
   <link href="/services/cluster/manager/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_size">47187</s:key>
       <s:key name="constrain_to_origin_site">1</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="frozen">0</s:key>
       <s:key name="index">_audit</s:key>
       <s:key name="origin_site">site2</s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
             <s:dict>
               <s:key name="bucket_flags">0x6</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">Complete</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">Complete</s:key>
             </s:dict>
           </s:key>
           <s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Unsearchable</s:key>
               <s:key name="status">Complete</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="primaries_by_site">
         <s:dict>
           <s:key name="site1">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
           <s:key name="site2">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
         </s:dict>
       </s:key>
       <s:key name="rep_count_by_site">
         <s:dict>
           <s:key name="site2">3</s:key>
         </s:dict>
       </s:key>
       <s:key name="search_count_by_site">
         <s:dict>
           <s:key name="site2">2</s:key>
         </s:dict>
       </s:key>
       <s:key name="service_after_time">0</s:key>
       <s:key name="standalone">0</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</title>
   <id>https://localhost:8089/services/cluster/manager/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</id>
   <updated>2014-04-17T19:13:57+00:00</updated>
   <link href="/services/cluster/manager/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="list"/>
   <link href="/services/cluster/manager/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_size"></s:key>
       <s:key name="constrain_to_origin_site">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="frozen">0</s:key>
       <s:key name="index">_internal</s:key>
       <s:key name="origin_site">site2</s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
             <s:dict>
               <s:key name="bucket_flags">0x2</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Unsearchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
           <s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
             <s:dict>
               <s:key name="bucket_flags">0x4</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingSource</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="primaries_by_site">
         <s:dict>
           <s:key name="site1">61666763-43E9-411B-9464-D80A5119EF0E</s:key>
           <s:key name="site2">E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</s:key>
         </s:dict>
       </s:key>
       <s:key name="rep_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">2</s:key>
         </s:dict>
       </s:key>
       <s:key name="search_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">1</s:key>
         </s:dict>
       </s:key>
       <s:key name="service_after_time">0</s:key>
       <s:key name="standalone">0</s:key>
     </s:dict>
   </content>
 </entry>


cluster/manager/buckets/{name}

https://<host>:<mPort>/services/cluster/manager/buckets/{name}

Access bucket configuration information.


GET

List bucket configuration information.


Request parameters

The filter parameter of the Pagination and filtering parameters can be used with this method.


Returned values

Name Description
bucket_size Indicates the size, in bytes, of the bucket.
constrain_to_origin_site Flag indicating this particular bucket is a clustered pre-multisite bucket. Such buckets are replicated only within their origin site.
frozen Indicates if the bucket is frozen.
index Name of the index to which the bucket belongs.
origin_site Where the bucket originated.
peers Lists information about buckets on peers to this manager.
primaries_by_site Primary peer (GIUD).
rep_count_by_site Number of buckets.
search_count_by_site Number of searchable buckets.
service_after_time Bucket service is deferred until after this time.
standalone Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this manager.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/buckets/internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB

XML Response

<title>clustermanagerbuckets</title>
 <id>https://localhost:8089/services/cluster/manager/buckets</id>
 <updated>2014-04-17T19:16:03+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/manager/buckets/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
   <id>https://localhost:8089/services/cluster/manager/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
   <updated>2014-04-17T19:16:03+00:00</updated>
   <link href="/services/cluster/manager/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
   <link href="/services/cluster/manager/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="bucket_size"></s:key>
       <s:key name="constrain_to_origin_site">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="frozen">0</s:key>
       <s:key name="index">_internal</s:key>
       <s:key name="origin_site">site2</s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
             <s:dict>
               <s:key name="bucket_flags">0x4</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingSource</s:key>
             </s:dict>
           </s:key>
           <s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
             <s:dict>
               <s:key name="bucket_flags">0x2</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Searchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="bucket_flags">0x0</s:key>
               <s:key name="checksum"></s:key>
               <s:key name="checksum_state">StableCksum</s:key>
               <s:key name="search_state">Unsearchable</s:key>
               <s:key name="status">StreamingTarget</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="primaries_by_site">
         <s:dict>
           <s:key name="site1">29F9560E-A44A-425C-8753-1C6158B46C84</s:key>
           <s:key name="site2">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
         </s:dict>
       </s:key>
       <s:key name="rep_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">2</s:key>
         </s:dict>
       </s:key>
       <s:key name="search_count_by_site">
         <s:dict>
           <s:key name="site1">1</s:key>
           <s:key name="site2">1</s:key>
         </s:dict>
       </s:key>
       <s:key name="service_after_time">0</s:key>
       <s:key name="standalone">0</s:key>
     </s:dict>
   </content>
 </entry>

cluster/manager/buckets/{bucket_id}/fix

https://<host>:<mPort>/services/cluster/manager/buckets/{bucket_id}/fix

Add the specified bucket to the fix list.

For more information, see Bucket-fixing scenarios in Managing Indexers and Clusters of Indexers.

Authentication and Authorization
Requires the admin role or indexes_edit capability.


POST

Add this bucket to the fix list.


Request parameters

None

Returned values
None


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/cluster/manager/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97EC71/fix -X POST


XML Response

  <title>clustermanagerbuckets</title>
  <id>https://localhost:8089/services/cluster/manager/buckets</id>
  <updated>2015-11-04T12:23:57-08:00</updated>
  <generator build="8effae892620f7b651853d141b7b7a6b61b929c0" version="20151102"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/buckets/_new" rel="create"/>
  <link href="/services/cluster/manager/buckets/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>


cluster/manager/buckets/{bucket_id}/freeze

https://<host>:<mPort>/services/cluster/manager/buckets/{bucket_id}/freeze

Set the bucket's state to frozen. The frozen state may not persist after a cluster manager restart unless one of the peers has set the frozen state. A POST to this endpoint does not set the bucket's state to frozen on peers.

Note: Use this endpoint with caution. It is recommended to test the endpoint in a test cluster prior to use on an actual bucket.

For more information, see How the cluster handles frozen buckets in Managing Indexers and Clusters of Indexers.

Authentication and Authorization

Requires the admin role or indexes_edit capability.


POST

Set this bucket's state to frozen.

Request parameters
None

Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97EC71/freeze -X POST


XML Response

  <title>clustermanagerbuckets</title>
  <id>https://locahost:8089/services/cluster/manager/buckets</id>
  <updated>2015-11-04T12:21:27-08:00</updated>
  <generator build="8effae892620f7b651853d141b7b7a6b61b929c0" version="20151102"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/buckets/_new" rel="create"/>
  <link href="/services/cluster/manager/buckets/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/buckets/{bucket_id}/remove_all

https://<host>:<mPort>/services/cluster/manager/buckets/{bucket_id}/remove_all

Delete all copies of the specified bucket.

Caution: Using this endpoint will cause irreversible data loss. It is recommended to test the endpoint on a test cluster prior to use on an actual bucket.

Authentication and Authorization
Requires the admin role or indexes_edit capability.


POST

Delete all copies of the specified bucket.


Request parameters

None

Returned values

None. If an invalid bucket id is used, an error message is returned.

<response>
  <messages>
    <msg type="ERROR">
 In handler 'clustermanagerbuckets': bucket not found</msg>
  </messages>
</response>

If the request is made on a hot bucket, an error message is returned.

<response>
  <messages>
    <msg type="ERROR">
 In handler 'clustermanagerbuckets': cannot remove hot bucket from cluster</msg>
  </messages>
</response>

Example request and response

XML Request

curl -k -u admin:password https://localhost:8089/services/cluster/manager/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97EC71/remove_all -X POST

XML Response

<title>clustermanagerbuckets</title>
  <id>https://localhost:8089/services/cluster/manager/buckets</id>
  <updated>2015-11-04T12:24:12-08:00</updated>
  <generator build="8effae892620f7b653d141b7b7a6b61b929c0" version="20151102"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/buckets/_new" rel="create"/>
  <link href="/services/cluster/manager/buckets/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/buckets/{bucket_id}/remove_from_peer

https://<host>:<mPort>/services/cluster/manager/buckets/{bucket_id}/remove_from_peer

Deletes the copy of this bucket from specified peer.

If the request causes the cluster to lose its complete state, the cluster will engage in fixup activities. This may result in another copy of the same bucket appearing on this peer. If, however, the specified bucket is frozen, the cluster does not attempt any fixup activities.

Caution: Using this endpoint will cause irreversible data loss. It is recommended to test the endpoint on a test-cluster prior to use on an actual bucket.


Authentication and Authorization
Requires the admin role or indexes_edit capability.


POST

Delete this bucket from specified peer. Set bucket state to frozen

Request parameters

Name Type Description
peer (required) GUID Peer GUID


Returned values
None. If the peer parameter is missing from the request, an error message is returned.

<response>
  <messages>
    <msg type="ERROR">
 In handler 'clustermanagerbuckets': The following required arguments are missing: peer.</msg>
  </messages>
</response>

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/buckets/_internal~0~111175BA-00DF-4CFE-9AEC-48A87B97EC71/remove_from_peer -X POST -d peer=222275BA-00DF-4CFE-9AEC-48A87B97EC71

XML Response

 <title>clustermanagerbuckets</title>
  <id>https://localhost:8089/services/cluster/manager/buckets</id>
  <updated>2015-11-04T12:23:18-08:00</updated>
  <generator build="8effae892620f7b651853d141b7b7a6b61b929c0" version="20151102"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/buckets/_new" rel="create"/>
  <link href="/services/cluster/manager/buckets/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/control/control/prune_index

https://<host>:<mPort>/services/cluster/manager/control/control/prune_index

Clean up excess bucket copies across an index.

For more information, see Remove extra bucket copies in Managing Indexers and Clusters of Indexers.


POST

Clean up excess bucket copies across an index.


Request parameters

Name Description
index Optional. The index from which to remove excess bucket copies. If not specified, the POST operation clears excess bucket copies across all indexes.


Returned values
None


Example request

XML Request


curl -k -u admin:pass https://localhost:8089/services/cluster/manager/control/control/prune_index -d index="my_index"

cluster/manager/control/control/rebalance_primaries

https://<host>:<mPort>/services/cluster/manager/control/control/rebalance_primaries

Rebalance primary bucket copies across peers. For more information, see Rebalance the indexer cluster primary buckets in Managing Indexers and Clusters of Indexers.


POST

Rebalance primary buckets across all peers of this manager.


Request parameters

None

Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/control/control/rebalance_primaries --request POST

XML Response

<title>clustermanagercontrol</title>
 <id>https://localhost:8089/services/cluster/manager/control</id>
 <updated>2013-08-21T13:08:52-07:00</updated>
 <generator build="176231" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>

cluster/manager/control/control/remove_peers

https://<host>:<mPort>/services/cluster/manager/control/control/remove_peers

Remove one or more peers.

See also
cluster/manager/peers


POST

Remove one or more peers.


Request parameters

Name Type Description
peers
Required
String One or more comma-separated peer GUIDs.


Returned values
None


Application usage

If peer status is not Down or GracefulShutdown, the interface returns the following error message:

<response>
  <messages>
    <msg type="ERROR">
 In handler 'clustermanagercontrol': Remove aborted, Reason: Peer=<hostname> with guid=<peerID> cannot be removed. Peer has status=Up. Only peers with status=Down (or) GracefulShutdown can be removed.</msg>
  </messages>
</response>


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/control/control/remove_peers --request POST  -d "peers=F2AA19BD-622F-4F8C-A8E0-1233"

XML Response

 <title>clustermanagercontrol</title>
 <id>https://localhost:8089/services/cluster/manager/control</id>
 <updated>2014-09-10T13:12:54-07:00</updated>
 <generator build="230688" version="6.2"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...

cluster/manager/control/control/resync_bucket_from_peer

https://<host>:<mPort>/services/cluster/manager/control/control/resync_bucket_from_peer

This endpoint resets the state of a specified bucket based on the current state of the bucket at a peer.


POST

Reset bucket state based on the current state of the bucket at a peer.


Request Parameters

Name Type Default Description
bucket_id String N/A Required. ID of bucket to update.
peer GUID N/A Required. GUID of peer from which to update the bucket.


Returned Values
None.

Example request and response

XML Request

curl -k -u admin:pass https://hostname:mPort:/services/cluster/manager/control/control/resync_bucket_from_peer -X POST -d bucket_id=_audit~2~8F6747E9-88C9-4488-8806-4EA3CA433CF5 -d peer=8F6747E9-88C9-4488-8806-4EA3CA433CF5
 

XML Response

  <title>clustermanagercontrol</title>
  <id>https://10.66.129.225:8089/services/cluster/manager/control</id>
  <updated>2016-06-30T14:32:06+08:00</updated>
  <generator build="9904f7fc29b" version="6.4.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/control/control/roll-hot-buckets

https://<host>:<mPort>/services/cluster/manager/control/control/roll-hot-buckets

This endpoint forces a specified bucket in an indexer cluster to roll from hot to warm. Pass the bucket id (bid) to the manager node. The manager instructs the origin peer for that bucket to roll its copy. In turn, the origin peer tells all the replicating peers to roll their copies

You might discover a bucket that is stuck in fixup and needs to be rolled using logs, Splunk Web, or either of the following two endpoints.


Authorization and authentication
This endpoint requires the admin role for use.


POST

Force a bucket to roll from hot to warm.


Request parameters

Name Type Default Description
bucket_id String N/A Required. ID for bucket to roll.


Returned values
None.


Example request and response

XML Request

curl -k -u username:password https://localhost:8089/services/cluster/manager/control/control/roll-hot-buckets -X POST -d "bucket_id=_audit~2~1A3889D7-954B-4CE6-B071-01B438DE9865"

XML Response

<title>clustermanagercontrol</title>
  <id>https://localhost:8089/services/cluster/manager/control</id>
  <updated>2015-10-30T07:34:56+08:00</updated>
  <generator build="0d98363e4338" version="6.4.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/control/control/rolling_upgrade_finalize

https://<host>:<mPort>/services/cluster/manager/control/control/rolling_upgrade_finalize

Finalizes an indexer cluster rolling upgrade.


POST

Finalizes an indexer cluster rolling upgrade.


Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/control/control/rolling_upgrade_finalize -X POST

XML Response

<title>clustermanagercontrol</title>
  <id>https://10.141.65.179:52000/services/cluster/manager/control</id>
  <updated>2018-04-01T22:04:46+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Cluster is no longer in searchable rolling upgrade mode.</s:msg>
  </s:messages>



cluster/manager/control/control/rolling_upgrade_init

https://<host>:<mPort>/services/cluster/manager/control/control/rolling_upgrade_init

Initializes an indexer cluster rolling upgrade.


POST

Initializes an indexer cluster rolling upgrade.


Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/control/control/rolling_upgrade_init -X POST

XML Response

  <title>clustermanagercontrol</title>
  <id>https://10.141.65.179:52000/services/cluster/manager/control</id>
  <updated>2018-04-01T21:06:21+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Cluster is now in searchable rolling upgrade mode.</s:msg>
  </s:messages>



cluster/manager/control/default/apply

https://<host>:<mPort>/services/cluster/manager/control/default/apply

Pushes a bundle.


POST

Push a bundle.

Request Parameters

Name Type Default Description
skip-validation
Boolean False Set as true to skip the validation step for this bundle.
ignore_identical_bundle Boolean True Set as false to push this bundle even if current active bundle is identical to this bundle.

Returned Values
None.

Example request and response

XML Request

curl -k -u admin:pass https://host:mPort/services/cluster/manager/control/default/apply -X POST
 

XML Response

<title>clustermanagercontrol</title>
<id>https://wimpy:7420/services/cluster/manager/control</id>
<updated>2019-01-02T13:46:04-08:00</updated>
<generator build="c5340c4d9387ab182815dc279bcd14979b747dc9" version="20181119"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/manager/control/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>clusterbundles</title>
<id>https://wimpy:7420/services/cluster/manager/control/clusterbundles</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/cluster/manager/control/clusterbundles" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/manager/control/clusterbundles" rel="list"/>
<link href="/services/cluster/manager/control/clusterbundles" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum">288845778D5B1952F534AB16DD82881E</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>

cluster/manager/control/default/cancel_bundle_push

https://<host>:<mPort>/services/cluster/manager/control/default/cancel_bundle_push

Cancels and resets the bundle push operation. Use this endpoint when the cluster manager does not receive a validation response from the cluster peer due to an error. For more information, see Configuration bundle issues.


POST

Cancel and reset the bundle push operation.

Request Parameters
None.

Returned Values
None.


Example request and response

XML Request

curl -k -u admin:pass https://host:mPort/services/cluster/manager/control/default/cancel_bundle_push -X POST
 

XML Response

  <title>clustermanagercontrol</title>
  <id>https:/<hostname>:<mgt-port>/services/cluster/manager/control</id>
  <updated>2017-08-21T15:13:13-07:00</updated>
  <generator build="3d1811a2a4dda9f4751be7cc71833cc377f62da8" version="20170823"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

cluster/manager/control/default/maintenance

https://<host>:<mPort>/services/cluster/manager/control/default/maintenance

Put the cluster manager into maintenance mode.


POST

Toggle maintenance mode.

Request Parameters

Name Datatype Description
mode Boolean Enable or disable maintenance mode on the cluster manager.

Returned Values
None.

Example request and response

XML Request

curl -k -u username:pass https://<host>:<mPort>/services/cluster/manager/control/default/maintenance -d mode=true
 

XML Response

<title>clustermanagercontrol</title>
<id>https://myserver:8089/services/cluster/manager/control</id>
<updated>2020-05-15T05:45:49+00:00</updated>
<generator build="a6754d8441bf" version="8.0.3"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>

cluster/manager/control/default/rollback

https://<host>:<mPort>/services/cluster/manager/control/default/rollback

Roll a bundle back to the previously active bundle.


POST

Roll back a bundle.

Request Parameters
None.

Returned Values
None.

Example request and response

XML Request

curl -k -u admin:pass https://host:mPort/services/cluster/manager/control/default/rollback -X POST
 

XML Response

<title>clustermanagercontrol</title>
<id>https://wimpy:7420/services/cluster/manager/control</id>
<updated>2019-01-02T13:46:26-08:00</updated>
<generator build="c5340c4d9387ab182815dc279bcd14979b747dc9" version="20181119"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/manager/control/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>clusterbundles</title>
<id>https://wimpy:7420/services/cluster/manager/control/clusterbundles</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/cluster/manager/control/clusterbundles" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/manager/control/clusterbundles" rel="list"/>
<link href="/services/cluster/manager/control/clusterbundles" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum">447F196DB0CF55389029A950E3C2D3E3</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>

cluster/manager/control/default/validate_bundle

https://<host>:<mPort>/services/cluster/manager/control/default/validate_bundle

Tests if the bundle in etc/manager-apps passes validation. Optionally, tests if the bundle will trigger an indexer restart.


POST

Validate a bundle.

Request Parameters

Name Type Default Description
check-restart
Boolean False By default, checks if the bundle passes validation on the cluster manager and indexers. Set to true to check if the bundle will trigger a restart on the indexers.

Returned Values
None.

Example request and response

XML Request

curl -k -u admin:pass https://host:mPort/services/cluster/manager/control/default/validate_bundle -d check-restart=true -X POST
 

XML Response

<title>clustermanagercontrol</title>
<id>https://wimpy:7420/services/cluster/manager/control</id>
<updated>2019-01-02T13:56:48-08:00</updated>
<generator build="c5340c4d9387ab182815dc279bcd14979b747dc9" version="20181119"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/manager/control/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>clusterbundles</title>
<id>https://wimpy:7420/services/cluster/manager/control/clusterbundles</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/services/cluster/manager/control/clusterbundles" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/manager/control/clusterbundles" rel="list"/>
<link href="/services/cluster/manager/control/clusterbundles" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum">288845778D5B1952F534AB16DD82881E</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>

cluster/manager/fixup

https://<host>:<mPort>/services/cluster/manager/fixup

Access a list of buckets on a specific fixup priority level. Bucket fixups are processed in order of priority level. See Request parameters below for priority level details.

When you access a particular fixup level, buckets may appear in it even though they do not need fixup at this level. Initially, each bucket requiring fixup is added to all levels, even though it might only require processing in a subset of all levels. As the bucket is processed through a level, it is deleted from that level.


GET

List buckets on the specified fixup level.


Request parameters

Pagination and filtering parameters can be used with this method.

Name Datatype Description
level String Required. Fixup priority level. Use one of the following level values, listed in order of priority.
  • streaming : Hot buckets that need to be rolled or have their size committed.
  • data_safety : Buckets without at least two rawdata copies.
  • generation : Buckets without a primary copy.
  • replication_factor : Buckets without replication factor number of copies.
  • search_factor : Buckets without search factor number of copies.
  • checksum_sync : Level for syncing a bucket's delete files across all peers that have this bucket. Syncing is determined based on the checksum of all of the delete files.
index String Optional. Index name.


Returned values
For each bucket in the specified fixup level, the response includes the following details for the initial time when the bucket went into the fixup level and the latest time that the bucket was checked.

Name Description
id Bucket id.
reason Initial or latest reason for the bucket being on this fixup level.
timestamp Timestamp for initial bucket addition to fixup list or latest bucket check.


Example request and response

XML Request

curl -k -u admin:password https://localhost:8089/services/cluster/manager/fixup?level=replication_factor

XML Response

<title>clustermanagerfixup</title>
  <id>https://localhost:8089/services/cluster/manager/fixup</id>
  <updated>2015-11-09T17:05:48-08:00</updated>
  <generator build="802b4ea159bb584c629dcdb8ba57c409b1d5b7ab" version="20151030"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/fixup/_acl" rel="_acl"/>
  <opensearch:totalResults>2</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>_audit~212~22220097-5E3F-4D26-B301-ECE3C4CD2222</title>
    <id>https://localhost:8089/services/cluster/manager/fixup/_audit~212~22220097-5E3F-4D26-B301-ECE3C4CD2222</id>
    <updated>2015-11-09T17:05:48-08:00</updated>
    <link href="/services/cluster/manager/fixup/_audit~212~22220097-5E3F-4D26-B301-ECE3C4CD2222" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/manager/fixup/_audit~212~22220097-5E3F-4D26-B301-ECE3C4CD2222" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="index">_audit</s:key>
        <s:key name="initial">
          <s:dict>
            <s:key name="reason">add peer=22220097-5E3F-4D26-B301-ECE3C4CD2222 new bucket</s:key>
            <s:key name="timestamp">1447099323</s:key>
          </s:dict>
        </s:key>
        <s:key name="latest">
          <s:dict>
            <s:key name="reason">Missing enough suitable candidates to create replicated copy in order to meet replication policy. Missing={ site2:1 }</s:key>
            <s:key name="timestamp">1447117547</s:key>
          </s:dict>
        </s:key>
        <s:key name="level">replication_factor</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>_internal~12628~111163F8-61F4-4AB3-A1A7-2EDCB10C1111</title>
    <id>https://localhost:8089/services/cluster/manager/fixup/_internal~12628~111163F8-61F4-4AB3-A1A7-2EDCB10C1111</id>
    <updated>2015-11-09T17:05:48-08:00</updated>
    <link href="/services/cluster/manager/fixup/_internal~12628~111163F8-61F4-4AB3-A1A7-2EDCB10C1111" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/manager/fixup/_internal~12628~111163F8-61F4-4AB3-A1A7-2EDCB10C1111" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="index">_internal</s:key>
        <s:key name="initial">
          <s:dict>
            <s:key name="reason">add peer=111163F8-61F4-4AB3-A1A7-2EDCB10C1111 new bucket</s:key>
            <s:key name="timestamp">1447099323</s:key>
          </s:dict>
        </s:key>
        <s:key name="latest">
          <s:dict>
            <s:key name="reason">Missing enough suitable candidates to create replicated copy in order to meet replication policy. Missing={ site1:1 }</s:key>
            <s:key name="timestamp">1447117547</s:key>
          </s:dict>
        </s:key>
        <s:key name="level">replication_factor</s:key>
      </s:dict>
    </content>
  </entry>

cluster/manager/generation

https://<host>:<mPort>/services/cluster/manager/generation

Access current generation cluster manager information and create a cluster generation.


GET

List peer nodes participating in the current generation for this manager.


Request parameters

Pagination and filtering parameters can be used with this method.

Returned values

Name Description
generation_id The ID for the current generation for this manager.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the manager when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/generation

XML Response

<title>clustermanagergeneration</title>
 <id>https://localhost:8089/services/cluster/manager/generation</id>
 <updated>2012-09-05T10:39:54-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>manager</title>
   <id>https://localhost:8089/services/cluster/manager/generation/manager</id>
   <updated>2012-09-05T10:39:54-07:00</updated>
   <link href="/services/cluster/manager/generation/manager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/generation/manager" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">2</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
           <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">3</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Create a cluster generation.


Request parameters

Name Type Default Description
name
required
String The URI of the searchhead node of a cluster upon which to create a new generation.
generation_poll_interval Number How often, in seconds, the searchhead polls the manager for generation information.

Defaults to 60 seconds.

label String Server name for the Splunk platform instance specified by the name attribute.
mgmt_port String The managment port of searchhead node in a cluster upon which you are creating a new generation.
register_search_address String The address on which a peer node is available as search head.

This is useful in the cases where a host machine has multiple interfaces and only one of them can be reached by another splunkd instance.


Returned values

Name Description
generation_id The ID for the current generation for this manager.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the manager when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.

replication_factor_met Indicates if the replication factor was met for the cluster.
search_factor_met Indicates if the search factor was met for the cluster.
was_forced Indicates next generation was forcibly committed.

Example request and response
XML Request

curl -k -u admin:pass https://myserver:8089/services/cluster/manager/generation -d name=foo

XML Response

<title>clustermanagergeneration</title>
 <id>https://myserver:8089/services/cluster/manager/generation</id>
 <updated>2013-10-31T13:58:51-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/manager/generation/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>manager</title>
   <id>https://myserver:8089/services/cluster/manager/generation/manager</id>
   <updated>2013-10-31T13:58:51-07:00</updated>
   <link href="/services/cluster/manager/generation/manager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/generation/manager" rel="list"/>
   <link href="/services/cluster/manager/generation/manager" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">5</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="11111111-1111-1111-1111-111111111111">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6431</s:key>
               <s:key name="peer">PEER1</s:key>
             </s:dict>
           </s:key>
           <s:key name="22222222-2222-2222-2222-222222222222">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6432</s:key>
               <s:key name="peer">PEER2</s:key>
             </s:dict>
           </s:key>
           <s:key name="33333333-3333-3333-3333-333333333333">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6433</s:key>
               <s:key name="peer">PEER3</s:key>
             </s:dict>
           </s:key>
           <s:key name="44444444-4444-4444-4444-444444444444">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6434</s:key>
               <s:key name="peer">PEER4</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">6</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
       <s:key name="replication_factor_met">1</s:key>
       <s:key name="search_factor_met">1</s:key>
       <s:key name="was_forced">0</s:key>
     </s:dict>
   </content>
 </entry>

cluster/manager/generation/{name}

https://<host>:<mPort>/services/cluster/manager/generation/{name}

Access information about a peer node participating in the current generation for the specified search head GUID.


GET

List peer node information of the specified search head GUID.


Request parameters

None


Returned values

Name Description
generation_id The ID of the current generation for this manager.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the manager when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/generation/manager

XML Response

<title>clustermanagergeneration</title>
 <id>https://localhost:8089/services/cluster/manager/generation</id>
 <updated>2012-09-05T10:45:27-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>manager</title>
   <id>https://localhost:8089/services/cluster/manager/generation/manager</id>
   <updated>2012-09-05T10:45:27-07:00</updated>
   <link href="/services/cluster/manager/generation/manager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/generation/manager" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       ... eai:attributes node elided ...
       <s:key name="generation_id">2</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
           <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">3</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
     </s:dict>
   </content>
 </entry>


POST

Create a new generation for the specified search head GUID.


Request parameters

Name Type Description
generation_poll_interval Number How often, in seconds, the searchhead polls the manager for generation information.

Defaults to 60 seconds.

label String Server name for the search head specified by {name}.
mgmt_port String The managment port of searchhead node in a cluster upon which you are creating a new generation.
register_search_address String The address on which a peer node is available as search head.

This is useful when a host machine has multiple interfaces and only one of them can be reached by another splunkd instance.


Returned values

Name Description
generation_id The ID for the current generation for this manager.
generation_peers Lists the peers for this generation of the cluster.
pending_generation_id The next generation ID used by the manager when committing a new generation.

This value is useful for debugging.

pending_last_attempt The timestamp of the last attempt to commit to the pending generation ID (if ever).
pending_last_reason The reason why this peer failed to commit to the pending generation.

This parameter is EMPTY if no such attempt was made.

replication_factor_met Indicates if the replication factor was met for the cluster.
search_factor_met Indicates if the search factor was met for the cluster.
was_forced Indicates next generation was forcibly committed.


Example request and response

XML Request

curl -k -u admin:pass https://myserver:8089/services/cluster/manager/generation/foo -X POST -d generation_poll_interval=62 -d label=PEER2

XML Response

 <title>clustermanagergeneration</title>
 <id>https://myserver:8089/services/cluster/manager/generation</id>
 <updated>2013-10-31T14:37:20-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/manager/generation/_new" rel="create"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>manager</title>
   <id>https://myserver:8089/services/cluster/manager/generation/manager</id>
   <updated>2013-10-31T14:37:20-07:00</updated>
   <link href="/services/cluster/manager/generation/manager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/generation/manager" rel="list"/>
   <link href="/services/cluster/manager/generation/manager" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">5</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="11111111-1111-1111-1111-111111111111">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6431</s:key>
               <s:key name="peer">PEER1</s:key>
             </s:dict>
           </s:key>
           <s:key name="22222222-2222-2222-2222-222222222222">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6432</s:key>
               <s:key name="peer">PEER2</s:key>
             </s:dict>
           </s:key>
           <s:key name="33333333-3333-3333-3333-333333333333">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6433</s:key>
               <s:key name="peer">PEER3</s:key>
             </s:dict>
           </s:key>
           <s:key name="44444444-4444-4444-4444-444444444444">
             <s:dict>
               <s:key name="host_port_pair">myserver.splunk.com:6434</s:key>
               <s:key name="peer">PEER4</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="pending_generation_id">6</s:key>
       <s:key name="pending_last_attempt">0</s:key>
       <s:key name="pending_last_reason"></s:key>
       <s:key name="replication_factor_met">1</s:key>
       <s:key name="search_factor_met">1</s:key>
       <s:key name="was_forced">0</s:key>
     </s:dict>
   </content>
 </entry>

cluster/manager/ha_active_status

https://<host>:<mPort>/services/cluster/manager/ha_active_status

Used by the load balancers to check the high availability mode of a given cluster manager.

The active cluster manager will return "HTTP 200", denoting "healthy", and a startup or standby cluster manager will return "HTTP 503".

Authentication and authorization
This endpoint is unauthenticated because some load balancers don't support authentication on a health check endpoint.

GET

Checks the high availability mode of a given cluster manager.


Request parameters

None


Returned values

None


Example request and response

Request

curl -k -v -u admin:changeme https://mrt:15511/services/cluster/manager/ha_active_status

Response

From active cluster manager:

< HTTP/1.1 200 OK
< Date: Tue, 10 May 2022 10:45:57 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 1740
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf [httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clusteractivemanager</title>
  <id>https://mrt:15511/services/cluster/manager/ha_active_status</id>
  <updated>2022-05-10T10:45:57+00:00</updated>
  <generator build="5ca3c0f7da3fe0b8be8e4a9ca6ac785dcf812149" version="20220426"/>
  <author>
    <name>Splunk</name>
  </author>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

From standby cluster manager:


< HTTP/1.1 503 Service Unavailable
< Date: Tue, 10 May 2022 10:47:00 GMT
< Expires: Thu, 26 Oct 1978 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, max-age=0
< Content-Type: text/xml; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 154
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Cluster manager is in inactive mode.</msg>
  </messages>
</response>


cluster/manager/health

https://<host>:<mPort>/services/cluster/manager/health

Performs health checks to determine the cluster health and search impact, prior to a rolling upgrade of the indexer cluster.

Authentication and Authorization

Requires the admin role or list_indexer_cluster capability.


GET

Get indexer cluster health check results.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Datatype Description
all_data_is_searchable Boolean Indicates if all data in the cluster is searchable.
all_peers_are_up Boolean Indicate if all peers are strictly in the Up status.
cm_version_is_compatible Boolean Indicates if any cluster peers are running a Splunk Enterprise version greater than or equal to the cluster manager's version.
multisite Boolean Indicates if multisite is enabled.
no_fixups_in_progress Boolean Indicates if there does not exist buckets with bucket state NonStreamingTarget, or bucket search states PendingSearchable or SearchablePendingMask.
pre_flight_check Boolean Indicates if the health check prior to a rolling upgrade was successful. This value is true only if the cluster passed all health checks.
replication_factor_met Boolean Only valid for mode=manager and multisite=false. Indicates whether the replication factor is met. If true, the cluster has at least replication_factor number of raw data copies in the cluster.
search_factor_met Boolean Only valid for mode=manager and multisite=false. Indicates whether the search factor is met. If true, the cluster has at least search_factor number of raw data copies in the cluster.
site_replication_factor_met Boolean Only valid for mode=manager and multisite=true. Indicates whether the site replication factor is met. If true, the cluster has at least replication_factor number of raw data copies in the cluster.
site_search_factor_met Boolean Only valid for mode=manager and multisite=true. Indicates whether the site search factor is met. If true, the cluster has at least site_search_factor number of raw data copies in the cluster.
splunk_version_peer_count String Lists the number of cluster peers running each Splunk Enterprise version.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/health

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>clustermanagerhealth</title>
  <id>https://10.141.65.179:52000/services/cluster/manager/health</id>
  <updated>2018-04-01T19:53:47+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/health/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>manager</title>
    <id>https://10.141.65.179:52000/services/cluster/manager/health/manager</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/services/cluster/manager/health/manager" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/manager/health/manager" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="all_data_is_searchable">1</s:key>
        <s:key name="all_peers_are_up">1</s:key>
        <s:key name="cm_version_is_compatible">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="multisite">0</s:key>
        <s:key name="no_fixup_tasks_in_progress">1</s:key>
        <s:key name="pre_flight_check">1</s:key>
        <s:key name="replication_factor_met">1</s:key>
        <s:key name="search_factor_met">1</s:key>
        <s:key name="site_replication_factor_met">1</s:key>
        <s:key name="site_search_factor_met">1</s:key>
        <s:key name="splunk_version_peer_count">{ 7.1.0: 3 }</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

cluster/manager/indexes

https://<host>:<mPort>/services/cluster/manager/indexes

Access cluster index information.


GET

List cluster indices.


Request parameters

None


Returned values

Attribute Description
buckets_with_excess_copies Number of distinct buckets that have one or more excess replication copies.
buckets_with_excess_searchable_copies Number of distinct buckets that have one or more excess searchable copies.
index_size Size of the index
is_searchable When every bucket in the index has a primary, the index is considered "searchable".
non_site_aware_buckets_in_site_aware_cluster Number of buckets created when the cluster was not in a multisite config. (Included only when the cluster is in multisite config.)
num_buckets Total number of distinct buckets.
replicated_copies_tracker Displays how many distinct buckets have X number of copies. One of the following options.
actual_copies_per_slot
Number of buckets with X copies.
expected_total_per_slot
Expected number of buckets with X copies.
searchable_copies_tracker Displays how many distinct buckets have X number of searchable copies. One of the following options.
actual_copies_per_slot
Number of buckets with X searchable copies.
expected_total_per_slot
Expected number of buckets with X searchable copies.
sort_order Used by UI.
total_excess_bucket_copies Total number of excess copies for all buckets.
total_excess_searchable_copies Total number of excess searchable copies for all buckets.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/indexes

XML Response

<title>clustermanagerpeerindexes</title>
 <id>https://localhost:8089/services/cluster/manager/indexes</id>
 <updated>2014-04-17T19:11:14+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/cluster/manager/indexes/_audit</id>
   <updated>2014-04-17T19:11:14+00:00</updated>
   <link href="/services/cluster/manager/indexes/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/indexes/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="buckets_with_excess_copies">0</s:key>
       <s:key name="buckets_with_excess_searchable_copies">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="index_size">284975</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
       <s:key name="num_buckets">12</s:key>
       <s:key name="replicated_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="2">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchable_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="sort_order">4294967295</s:key>
       <s:key name="total_excess_bucket_copies">0</s:key>
       <s:key name="total_excess_searchable_copies">0</s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>_internal</title>
   <id>https://localhost:8089/services/cluster/manager/indexes/_internal</id>
   <updated>2014-04-17T19:11:14+00:00</updated>
   <link href="/services/cluster/manager/indexes/_internal" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/indexes/_internal" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="buckets_with_excess_copies">0</s:key>
       <s:key name="buckets_with_excess_searchable_copies">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="index_size">1190869</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
       <s:key name="num_buckets">12</s:key>
       <s:key name="replicated_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="2">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchable_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="sort_order">4294967295</s:key>
       <s:key name="total_excess_bucket_copies">0</s:key>
       <s:key name="total_excess_searchable_copies">0</s:key>
     </s:dict>
   </content>
 </entry>

cluster/manager/indexes/{name}

https://<host>:<mPort>/services/cluster/manager/indexes/{name}

Access specific cluster index information.


GET

List {name} index information.


Request parameters

None


Returned values

Attribute Description
buckets_with_excess_copies Number of distinct buckets that have one or more excess replication copies.
buckets_with_excess_searchable_copies Number of distinct buckets that have one or more excess searchable copies.
index_size Size of the index
is_searchable When every bucket in the index has a primary, the index is considered "searchable".
non_site_aware_buckets_in_site_aware_cluster Number of buckets created when the cluster was not in a multisite config. (Included only when the cluster is in multisite config.)
num_buckets Total number of distinct buckets. Displays how many distinct buckets have X number of copies. One of the following options.
actual_copies_per_slot
Number of buckets with X copies.
expected_total_per_slot
Expected number of buckets with X copies.
searchable_copies_tracker Displays how many distinct buckets have X number of searchable copies. One of the following options.
actual_copies_per_slot
Number of buckets with X searchable copies.
expected_total_per_slot
Expected number of buckets with X searchable copies.
sort_order Used by UI.
total_excess_bucket_copies Total number of excess copies for all buckets.
total_excess_searchable_copies Total number of excess searchable copies for all buckets.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/indexes/_audit

XML Response

<title>clustermanagerpeerindexes</title>
 <id>https://localhost:8089/services/cluster/manager/indexes</id>
 <updated>2014-04-17T19:11:14+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>_audit</title>
   <id>https://localhost:8089/services/cluster/manager/indexes/_audit</id>
   <updated>2014-04-17T19:11:14+00:00</updated>
   <link href="/services/cluster/manager/indexes/_audit" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/indexes/_audit" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="buckets_with_excess_copies">0</s:key>
       <s:key name="buckets_with_excess_searchable_copies">0</s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="index_size">284975</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
       <s:key name="num_buckets">12</s:key>
       <s:key name="replicated_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="2">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="searchable_copies_tracker">
         <s:dict>
           <s:key name="0">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
           <s:key name="1">
             <s:dict>
               <s:key name="actual_copies_per_slot">12</s:key>
               <s:key name="expected_total_per_slot">12</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="sort_order">4294967295</s:key>
       <s:key name="total_excess_bucket_copies">0</s:key>
       <s:key name="total_excess_searchable_copies">0</s:key>
     </s:dict>
   </content>
 </entry>

cluster/manager/info

https://<host>:<mPort>/services/cluster/manager/info

Access information about cluster manager node.


GET

List cluster manager node details.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
active_bundle Provides information about the active bundle for this manager.
bundle_creation_time_on_manager The time, in epoch seconds, when the bundle was created on the manager.
bundle_validation_errors_on_manager A list of bundle validation errors.
bundle_validation_in_progress Indicates if bundle validation is in progress.
bundle_validation_on_manager_succeeded Indicates whether the manager succeeded validating bundles.
data_safety_buckets_to_fix Lists the buckets to fix for the completion of data safety.
gen_commit_buckets_to_fix The buckets to be fixed before the next generation can be committed.
indexing_ready_flag Indicates if the cluster is ready for indexing.
initialized_flag Indicates if the cluster is initialized.
label The name for the manager. Displayed in the Splunk Web manager page.
latest_bundle The most recent information reflecting any changes made to the manager-apps configuration bundle.

In steady state, this is equal to active_bundle. If it is not equal, then pushing the latest bundle to all peers is in process (or needs to be started).

maintenance_mode Indicates if the cluster is in maintenance mode.
reload_bundle_issued Indicates if the bundle issued is being reloaded.
rep_count_buckets_to_fix Number of buckets to fix on peers.
rolling_restart_flag Indicates whether the manager is restarting the peers in a cluster.
search_count_buckets_to_fix Number of buckets to fix to satisfy the search count.
service_ready_flag Indicates whether the manager is ready to begin servicing, based on whether it is initialized.
start_time Timestamp corresponding to the creation of the manager.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/info

XML Response

<title>clustermanagerinfo</title>
 <id>http://greentea.sv.splunk.com:8089/services/cluster/manager/info</id>
 <updated>2013-07-23T10:36:35-07:00</updated>
 <generator build="172635" version="6.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>manager</title>
   <id>http://greentea.sv.splunk.com:8089/services/cluster/manager/info/manager</id>
   <updated>2013-07-23T10:36:35-07:00</updated>
   <link href="/services/cluster/manager/info/manager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/info/manager" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle">
         <s:dict>
           <s:key name="bundle_path">/home/eserv/schoi/apple_manager/splunk/var/run/splunk/cluster/remote-bundle/66e383cafa8ff1f033e2341e35fc2e09-1374594357.bundle</s:key>
           <s:key name="checksum">a98f211c7bc6b141bd4fe5775c7cd193</s:key>
           <s:key name="timestamp">1374594357</s:key>
         </s:dict>
       </s:key>
       <s:key name="bundle_creation_time_on_manager">1374594357</s:key>
       <s:key name="bundle_validation_errors_on_manager">
         <s:list/>
       </s:key>
       <s:key name="bundle_validation_in_progress">0</s:key>
       <s:key name="bundle_validation_on_manager_succeeded">1</s:key>
       <s:key name="data_safety_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       ... eai:acl node elided ...
       <s:key name="gen_commit_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="indexing_ready_flag">1</s:key>
       <s:key name="initialized_flag">1</s:key>
       <s:key name="label">manager_nc</s:key>
       <s:key name="latest_bundle">
         <s:dict>
           <s:key name="bundle_path">/home/eserv/schoi/apple_manager/splunk/var/run/splunk/cluster/remote-bundle/66e383cafa8ff1f033e2341e35fc2e09-1374594357.bundle</s:key>
           <s:key name="checksum">a98f211c7bc6b141bd4fe5775c7cd193</s:key>
           <s:key name="timestamp">1374594357</s:key>
         </s:dict>
       </s:key>
       <s:key name="maintenance_mode">0</s:key>
       <s:key name="reload_bundle_issued">0</s:key>
       <s:key name="rep_count_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="rolling_restart_flag">0</s:key>
       <s:key name="search_count_buckets_to_fix">
         <s:dict>
           <s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">resolved initial state</s:key>
                   <s:key name="timestamp">1374594631</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason"></s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
               .
               .
               .
             elided
               .
               .
               .
           <s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
             <s:dict>
               <s:key name="initial">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
               <s:key name="latest">
                 <s:dict>
                   <s:key name="reason">streaming success</s:key>
                   <s:key name="timestamp">1374600995</s:key>
                 </s:dict>
               </s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="service_ready_flag">1</s:key>
       <s:key name="start_time">1374594571</s:key>
     </s:dict>
   </content>
 </entry>


cluster/manager/peers

https://<host>:<mPort>/services/cluster/manager/peers

Access cluster manager peers.

See also
cluster/manager/control/control/remove_peers


GET

List cluster manager peers.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
active_bundle_id The ID of the configuration bundle currently being used by the manager.
apply_bundle_status Bundle status enumeration.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the manager.

bucket_count Count of the number of buckets on this peer, across all indexes.
bucket_count_by_index Count of the number of buckets by index on this peer.
delayed_buckets_to_discard List of bucket IDs waiting to be discarded on this peer.
fixup_set The set of buckets that need repair once you take the peer offline.
heartbeat_started Flag indicating if this peer has started heartbeating.
host_port_pair The host and port advertised to peers for the data replication channel.

Can be either of the form IP:port or hostname:port.

is_searchable Flag indicating if this peer belongs to the current committed generation and is searchable.
label The name for the peer. Displayed on the manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer.
latest_bundle_id The ID of the configuration bundle this peer is using.
pending_job_count Used by the manager to keep track of pending jobs requested by the manager to this peer.
primary_count Number of buckets for which the peer is primary in its local site, or the number of buckets that return search results from same site as the peer.
primary_count_remote Number of buckets for which the peer is primary that are not in its local site.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
search_state_counter Lists the number of buckets on the peer for each search state for the bucket.


Possible values for search state include:

Searchable
Unsearchable
site To which site the peer belongs.
status Indicates the status of the peer.


Valid values are:

Up
Pending
AutomaticDetention
ManualDetention-PortsEnabled
ManualDetention
Restarting
ShuttingDown
ReassigningPrimaries
Decommissioning
GracefulShutdown
Stopped
Down
BatchAdding
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/peers


XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

 <title>clustermanagerpeers</title>
 <id>https://localhost:8089/services/cluster/manager/peers</id>
 <updated>2014-04-17T19:17:08+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/manager/peers/_new" rel="create"/>
 <opensearch:totalResults>6</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
   <id>https://localhost:8089/services/cluster/manager/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
   <updated>2014-04-17T19:17:08+00:00</updated>
   <link href="/services/cluster/manager/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
   <link href="/services/cluster/manager/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="apply_bundle_status">
         <s:dict>
           <s:key name="invalid_bundle">
             <s:dict>
               <s:key name="bundle_validation_errors">
                 <s:list/>
               </s:key>
               <s:key name="invalid_bundle_id"></s:key>
             </s:dict>
           </s:key>
           <s:key name="reload_error"></s:key>
           <s:key name="restart_required_for_apply_bundle">0</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">6</s:key>
       <s:key name="bucket_count">10</s:key>
       <s:key name="bucket_count_by_index">
         <s:dict>
           <s:key name="_audit">5</s:key>
           <s:key name="_internal">5</s:key>
         </s:dict>
       </s:key>
       <s:key name="delayed_buckets_to_discard">
         <s:list/>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="fixup_set">
         <s:list/>
       </s:key>
       <s:key name="heartbeat_started">1</s:key>
       <s:key name="host_port_pair">127.0.1.1:8096</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="label">s2p3</s:key>
       <s:key name="last_heartbeat">1397762228</s:key>
       <s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="pending_job_count">0</s:key>
       <s:key name="primary_count">5</s:key>
       <s:key name="primary_count_remote">2</s:key>
       <s:key name="replication_count">0</s:key>
       <s:key name="replication_port">9905</s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="search_state_counter">
         <s:dict>
           <s:key name="Searchable">5</s:key>
           <s:key name="SearchablePendingMask">0</s:key>
           <s:key name="Unsearchable">5</s:key>
         </s:dict>
       </s:key>
       <s:key name="site">site2</s:key>
       <s:key name="status">Up</s:key>
       <s:key name="status_counter">
         <s:dict>
           <s:key name="Complete">6</s:key>
           <s:key name="NonStreamingTarget">0</s:key>
           <s:key name="StreamingSource">2</s:key>
           <s:key name="StreamingTarget">2</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
     .
     .
     .
   elided
     .
     .
     .
 <entry>
   <title>E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</title>
   <id>https://localhost:8089/services/cluster/manager/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</id>
   <updated>2014-04-17T19:17:08+00:00</updated>
   <link href="/services/cluster/manager/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="list"/>
   <link href="/services/cluster/manager/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="apply_bundle_status">
         <s:dict>
           <s:key name="invalid_bundle">
             <s:dict>
               <s:key name="bundle_validation_errors">
                 <s:list/>
               </s:key>
               <s:key name="invalid_bundle_id"></s:key>
             </s:dict>
           </s:key>
           <s:key name="reload_error"></s:key>
           <s:key name="restart_required_for_apply_bundle">0</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">4</s:key>
       <s:key name="bucket_count">13</s:key>
       <s:key name="bucket_count_by_index">
         <s:dict>
           <s:key name="_audit">6</s:key>
           <s:key name="_internal">7</s:key>
         </s:dict>
       </s:key>
       <s:key name="delayed_buckets_to_discard">
         <s:list/>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="fixup_set">
         <s:list/>
       </s:key>
       <s:key name="heartbeat_started">1</s:key>
       <s:key name="host_port_pair">127.0.1.1:8094</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="label">s2p1</s:key>
       <s:key name="last_heartbeat">1397762227</s:key>
       <s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="pending_job_count">0</s:key>
       <s:key name="primary_count">7</s:key>
       <s:key name="primary_count_remote">2</s:key>
       <s:key name="replication_count">0</s:key>
       <s:key name="replication_port">9903</s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="search_state_counter">
         <s:dict>
           <s:key name="PendingSearchable">0</s:key>
           <s:key name="Searchable">10</s:key>
           <s:key name="SearchablePendingMask">0</s:key>
           <s:key name="Unsearchable">3</s:key>
         </s:dict>
       </s:key>
       <s:key name="site">site2</s:key>
       <s:key name="status">Up</s:key>
       <s:key name="status_counter">
         <s:dict>
           <s:key name="Complete">6</s:key>
           <s:key name="NonStreamingTarget">0</s:key>
           <s:key name="StreamingSource">2</s:key>
           <s:key name="StreamingTarget">5</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
</feed>

cluster/manager/peers/{name}

https://<host>:<mPort>/services/cluster/manager/peers/{name}

Access specified peer.


GET

Get {name} peer information.


Request parameters

Name Type Description
list_buckets Boolean Indicates whether to list the buckets for the peers to this manager.

Returned values

Name Description
active_bundle_id The ID of the configuration bundle currently being used by the manager.
apply_bundle_status Bundle status enumeration.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the manager.

bucket_count Count of the number of buckets on this peer, across all indexes.
bucket_count_by_index Count of the number of buckets by index on this peer.
delayed_buckets_to_discard List of bucket IDs waiting to be discarded on this peer.
fixup_set The set of buckets that need repair once you take the peer offline.
heartbeat_started Flag indicating if this peer has started heartbeating.
host_port_pair The host and port advertised to peers for the data replication channel.

Can be either of the form IP:port or hostname:port.

is_searchable Flag indicating if this peer belongs to the current committed generation and is searchable.
label The name for the peer. Displayed on the Splunk Web manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer.
latest_bundle_id The ID of the configuration bundle this peer is using.
pending_job_count Used by the manager to keep track of pending jobs requested by the manager to this peer.
primary_count Number of buckets for which the peer is primary in its local site, or the number of buckets that return search results from same site as the peer.
primary_count_remote Number of buckets for which the peer is primary that are not in its local site.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
search_state_counter Lists the number of buckets on the peer for each search state for the bucket.

Possible values for search state include:

Searchable
Unsearchable
site To which site the peer belongs.
splunk_version The version of Splunk that the peer is running. This will be of the form X.Y.Z where X is the major version, Y is the minor version, and Z is the maintenance version.
status Indicates the status of the peer.

Valid values are:

Up
Pending
AutomaticDetention
ManualDetention-PortsEnabled
ManualDetention
Restarting
ShuttingDown
ReassigningPrimaries
Decommissioning
GracefulShutdown
Stopped
Down
BatchAdding
status_counter Lists the number of buckets on the peer for each bucket status.

Possible values for bucket status:

Complete: complete (warm/cold) bucket
NonStreamingTarget: target of replication for already completed (warm/cold) bucket
PendingTruncate: bucket pending truncation
PendingDiscard: bucket pending discard
Standalone: bucket that is not replicated
StreamingError: copy of streaming bucket where some error was encountered
StreamingSource: streaming hot bucket on source side
StreamingTarget: streaming hot bucket copy on target side
Unset: uninitialized


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/peers/29F9560E-A44A-425C-8753-1C6158B46C84

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

 <title>clustermanagerpeers</title>
 <id>https://localhost:8089/services/cluster/manager/peers</id>
 <updated>2014-04-17T19:18:19+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/manager/peers/_new" rel="create"/>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>29F9560E-A44A-425C-8753-1C6158B46C84</title>
   <id>https://localhost:8089/services/cluster/manager/peers/29F9560E-A44A-425C-8753-1C6158B46C84</id>
   <updated>2014-04-17T19:18:19+00:00</updated>
   <link href="/services/cluster/manager/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="list"/>
   <link href="/services/cluster/manager/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="edit"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="apply_bundle_status">
         <s:dict>
           <s:key name="invalid_bundle">
             <s:dict>
               <s:key name="bundle_validation_errors">
                 <s:list/>
               </s:key>
               <s:key name="invalid_bundle_id"></s:key>
             </s:dict>
           </s:key>
           <s:key name="reload_error"></s:key>
           <s:key name="restart_required_for_apply_bundle">0</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">3</s:key>
       <s:key name="bucket_count">11</s:key>
       <s:key name="bucket_count_by_index">
         <s:dict>
           <s:key name="_audit">6</s:key>
           <s:key name="_internal">5</s:key>
         </s:dict>
       </s:key>
       <s:key name="delayed_buckets_to_discard">
         <s:list/>
       </s:key>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="fixup_set">
         <s:list/>
       </s:key>
       <s:key name="heartbeat_started">1</s:key>
       <s:key name="host_port_pair">127.0.1.1:8092</s:key>
       <s:key name="is_searchable">1</s:key>
       <s:key name="label">s1p3</s:key>
       <s:key name="last_heartbeat">1397762298</s:key>
       <s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
       <s:key name="pending_job_count">0</s:key>
       <s:key name="primary_count">6</s:key>
       <s:key name="primary_count_remote">2</s:key>
       <s:key name="replication_count">0</s:key>
       <s:key name="replication_port">9902</s:key>
       <s:key name="replication_use_ssl">0</s:key>
       <s:key name="search_state_counter">
         <s:dict>
           <s:key name="PendingSearchable">0</s:key>
           <s:key name="Searchable">8</s:key>
           <s:key name="SearchablePendingMask">0</s:key>
           <s:key name="Unsearchable">3</s:key>
         </s:dict>
       </s:key>
       <s:key name="site">site1</s:key>
       <s:key name="splunk_version">7.2.0</s:key>
       <s:key name="status">Up</s:key>
       <s:key name="status_counter">
         <s:dict>
           <s:key name="Complete">6</s:key>
           <s:key name="NonStreamingTarget">0</s:key>
           <s:key name="StreamingSource">2</s:key>
           <s:key name="StreamingTarget">3</s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
</feed>


cluster/manager/redundancy

https://<host>:<mPort>/services/cluster/manager/redundancy

Display the details of all cluster managers participating in cluster manager redundancy, and switch the HA state of the cluster managers.

Authentication and authorization
The GET on this endpoint needs the capability list_indexer_cluster, and the POST on this endpoint needs the capability edit_indexer_cluster.

GET

Display the details of all cluster managers participating in cluster manager redundancy.


Request parameters

None


Returned values

Name Description
active_bundle_id The active bundle ID of the cluster, as set in the given cluster manager.
generation_id The last committed generation ID of the cluster, as known to the given cluster manager.
ha_mode The high availability mode of the given cluster manager.
last_heartbeat The timestamp of the last heartbeat received from the given cluster manager. This is only applicable for the standby cluster managers. For the active cluster manager, this is set to 0. For standby cluster managers, this field reflects the valid timestamp, denoting the last time the active manager received a heartbeat from this standby cluster manager.
manager_switchover_mode The switchover mode set in the given cluster manager.
peers_count The number of indexer peers known to to the given cluster manager.
server_name The configured server name of the given cluster manager.
uri The management URI of the given cluster manager.


Example request and response

Request

curl -k -u admin:changeme -XGET "https://mrt:15511/services/cluster/manager/redundancy/?output_mode=json"

Response

{
   "links":{
      "create":"/services/cluster/manager/redundancy/_new"
   },
   "origin":"https://mrt:15511/services/cluster/manager/redundancy",
   "updated":"2022-01-25T08:29:41+00:00",
   "generator":{
      "build":"e578ec650c0bf4d48e84541eae3d501f6dfc688a",
      "version":"20211229"
   },
   "entry":[
      {
         "name":"7EE219C0-23A6-4E95-A599-64E0FE5E8B05",
         "id":"https://mrt:15511/services/cluster/manager/redundancy/7EE219C0-23A6-4E95-A599-64E0FE5E8B05",
         "updated":"1970-01-01T00:00:00+00:00",
         "links":{
            "alternate":"/services/cluster/manager/redundancy/7EE219C0-23A6-4E95-A599-64E0FE5E8B05",
            "list":"/services/cluster/manager/redundancy/7EE219C0-23A6-4E95-A599-64E0FE5E8B05",
            "edit":"/services/cluster/manager/redundancy/7EE219C0-23A6-4E95-A599-64E0FE5E8B05"
         },
         "author":"system",
         "acl":{
            "app":"",
            "can_list":true,
            "can_write":true,
            "modifiable":false,
            "owner":"system",
            "perms":{
               "read":[
                  "admin",
                  "splunk-system-role"
               ],
               "write":[
                  "admin",
                  "splunk-system-role"
               ]
            },
            "removable":false,
            "sharing":"system"
         },
         "content":{
            "active_bundle_id":"075EA8FB2D1172A1A7AD9DA472C63E92",
            "eai:acl":null,
            "generation_id":"21",
            "ha_mode":"Active",
            "last_heartbeat":0,
            "manager_switchover_mode":"auto",
            "peers_count":"5",
            "server_name":"cm",
            "uri":"https://mrt:15511"
         }
      },
      {
         "name":"841BD315-21DB-4589-8813-15199DF02F1F",
         "id":"https://mrt:15511/services/cluster/manager/redundancy/841BD315-21DB-4589-8813-15199DF02F1F",
         "updated":"1970-01-01T00:00:00+00:00",
         "links":{
            "alternate":"/services/cluster/manager/redundancy/841BD315-21DB-4589-8813-15199DF02F1F",
            "list":"/services/cluster/manager/redundancy/841BD315-21DB-4589-8813-15199DF02F1F",
            "edit":"/services/cluster/manager/redundancy/841BD315-21DB-4589-8813-15199DF02F1F"
         },
         "author":"system",
         "acl":{
            "app":"",
            "can_list":true,
            "can_write":true,
            "modifiable":false,
            "owner":"system",
            "perms":{
               "read":[
                  "admin",
                  "splunk-system-role"
               ],
               "write":[
                  "admin",
                  "splunk-system-role"
               ]
            },
            "removable":false,
            "sharing":"system"
         },
         "content":{
            "active_bundle_id":"075EA8FB2D1172A1A7AD9DA472C63E92",
            "eai:acl":null,
            "generation_id":"21",
            "ha_mode":"Standby",
            "last_heartbeat":1643099380,
            "manager_switchover_mode":"auto",
            "peers_count":"5",
            "server_name":"cm-standby2",
            "uri":"https://wimpy:14089"
         }
      }
   ],
   "paging":{
      "total":2,
      "perPage":30,
      "offset":0
   },
   "messages":[
       
   ]
}

POST

Switch the high availability state of the cluster managers.


Request parameters

_action=switch_mode

ha_mode=Active|Standby

Returned values

Name Description
ha_mode The resultant high availability mode of the given cluster manager after the mode change request completion.


Example request and response

Request

curl -k -u admin:changeme -XPOST "https://10.16.88.2:15511/services/cluster/manager/redundancy/?output_mode=json" -d "_action=switch_mode" -d "ha_mode=Active"

Response

{
   "links":{
      "create":"/services/cluster/manager/redundancy/_new"
   },
   "origin":"https://10.16.88.2:15511/services/cluster/manager/redundancy",
   "updated":"2021-10-14T04:15:00-07:00",
   "generator":{
      "build":"42f3134682e376e692f6e407a83b41c8dd787e9e",
      "version":"20211011"
   },
   "entry":[
      {
         "name":"0AB9404D-8670-4F26-8723-CA289A5A0E3A",
         "id":"https://10.16.88.2:15511/services/cluster/manager/redundancy/0AB9404D-8670-4F26-8723-CA289A5A0E3A",
         "updated":"1969-12-31T16:00:00-08:00",
         "links":{
            "alternate":"/services/cluster/manager/redundancy/0AB9404D-8670-4F26-8723-CA289A5A0E3A",
            "list":"/services/cluster/manager/redundancy/0AB9404D-8670-4F26-8723-CA289A5A0E3A",
            "edit":"/services/cluster/manager/redundancy/0AB9404D-8670-4F26-8723-CA289A5A0E3A"
         },
         "author":"system",
         "acl":{
            "app":"",
            "can_list":true,
            "can_write":true,
            "modifiable":false,
            "owner":"system",
            "perms":{
               "read":[
                  "admin",
                  "splunk-system-role"
               ],
               "write":[
                  "admin",
                  "splunk-system-role"
               ]
            },
            "removable":false,
            "sharing":"system"
         },
         "content":{
            "eai:acl":null,
            "ha_mode":"Active"
         }
      }
   ],
   "paging":{
      "total":1,
      "perPage":30,
      "offset":0
   },
   "messages":[
       
   ]
}

cluster/manager/sites

https://<host>:<mPort>/services/cluster/manager/sites

Access cluster site information.


GET

List available cluster sites.


Request parameters

None


Returned values

Name Description
peers Peers list of host:port and server name.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/sites


XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

 <title>clustermanagersites</title>
 <id>https://localhost:8089/services/cluster/manager/sites</id>
 <updated>2014-04-17T19:12:15+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>2</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>site1</title>
   <id>https://localhost:8089/services/cluster/manager/sites/site1</id>
   <updated>2014-04-17T19:12:15+00:00</updated>
   <link href="/services/cluster/manager/sites/site1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/sites/site1" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8092</s:key>
               <s:key name="server_name">s1p3</s:key>
             </s:dict>
           </s:key>
           <s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8091</s:key>
               <s:key name="server_name">s1p2</s:key>
             </s:dict>
           </s:key>
           <s:key name="76C88808-2727-42B4-8C05-72DC44630FE4">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8090</s:key>
               <s:key name="server_name">s1p1</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
 <entry>
   <title>site2</title>
   <id>https://localhost:8089/services/cluster/manager/sites/site2</id>
   <updated>2014-04-17T19:12:15+00:00</updated>
   <link href="/services/cluster/manager/sites/site2" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/sites/site2" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8096</s:key>
               <s:key name="server_name">s2p3</s:key>
             </s:dict>
           </s:key>
           <s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8095</s:key>
               <s:key name="server_name">s2p2</s:key>
             </s:dict>
           </s:key>
           <s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8094</s:key>
               <s:key name="server_name">s2p1</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
</feed>

cluster/manager/sites/{name}

https://<host>:<mPort>/services/cluster/manager/sites/{name}

Access specific cluster site information.


GET

List the {name} cluster site information.


Request parameters

None

Returned values

Name Description
peers Site peer reference, for each peer. Possible values include the following.
host_port_pair
Peer port number.
server_name
Peer server name.

Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/sites/site1


XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">

 <title>clustermanagersites</title>
 <id>https://localhost:8089/services/cluster/manager/sites</id>
 <updated>2014-04-17T19:13:07+00:00</updated>
 <generator build="204899" version="6.1"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>site1</title>
   <id>https://localhost:8089/services/cluster/manager/sites/site1</id>
   <updated>2014-04-17T19:13:07+00:00</updated>
   <link href="/services/cluster/manager/sites/site1" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/manager/sites/site1" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         ... elided ...
       </s:key>
       <s:key name="eai:attributes">
         ... elided ...
       </s:key>
       <s:key name="peers">
         <s:dict>
           <s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8092</s:key>
               <s:key name="server_name">s1p3</s:key>
             </s:dict>
           </s:key>
           <s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8091</s:key>
               <s:key name="server_name">s1p2</s:key>
             </s:dict>
           </s:key>
           <s:key name="76C88808-2727-42B4-8C05-72DC44630FE4">
             <s:dict>
               <s:key name="host_port_pair">127.0.1.1:8090</s:key>
               <s:key name="server_name">s1p1</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
</feed>


cluster/manager/status

https://<host>:<mPort>/services/cluster/manager/status

Endpoint to get the status of a rolling restart.


GET

Get the status of a rolling restart.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
decommission_force_timeout The amount of time, in seconds, the cluster manager will wait for a peer in primary decommission status to finish primary reassignment

and restart, during a searchable rolling restart with timeouts. Only valid for rolling_restart=searchable_force. Default value is 180. Max accepted value is 1800.

maintenance_mode Indicates if the cluster is in maintenance mode. Happens during rolling restart, bundle push, and other maintenance activities.
messages Array of messages from server.
multisite Indicates if multisite is enabled for this manager. Make sure you set site parameters on the peers if you set this to true. Defaults to false.
peers Object containing all the peers in the cluster. For each peer, the label, site and status are provided.
restart_inactivity_timeout The amount of time, in seconds, that the manager waits for a peer to restart and rejoin the cluster before it considers the restart a failure and proceeds to restart other peers. A value of zero (0) means that the manager waits indefinitely for a peer to restart. Only valid for rolling_restart=searchable_force. Default is 600secs.
restart_progress Object containing lists of peers in "done", "failed", "in_progress" and "to_be_restarted" state.
rolling_restart_flag Boolean that indicates if there is a rolling restart in progress.
rolling_restart_or_upgrade Boolean that indicates if there is a rolling restart or rolling upgrade in progress.
searchable_rolling Boolean that indicates if a searchable rolling restart/upgrade in progress.
service_ready_flag Boolean that indicates if the cluster is ready.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/manager/status

XML Response

<title>clustermanagerstatus</title>
  <id>https://10.141.65.179:52000/services/cluster/manager/status</id>
  <updated>2018-04-01T23:00:53+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/manager/status/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>manager</title>
    <id>https://10.141.65.179:52000/services/cluster/manager/status/manager</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/services/cluster/manager/status/manager" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/cluster/manager/status/manager" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="decommission_force_timeout">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="maintenance_mode">0</s:key>
        <s:key name="messages"></s:key>
        <s:key name="multisite">0</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="08696C19-548F-4563-BA53-2A18769091DB">
              <s:dict>
                <s:key name="label">idx3</s:key>
                <s:key name="site">default</s:key>
                <s:key name="status">Up</s:key>
              </s:dict>
            </s:key>
            <s:key name="15FE1639-DDEF-4C50-B5A8-3E1C859FA1EA">
              <s:dict>
                <s:key name="label">idx2</s:key>
                <s:key name="site">default</s:key>
                <s:key name="status">Up</s:key>
              </s:dict>
            </s:key>
            <s:key name="73CA8A90-EC43-466F-8D12-A55C6E2EBC05">
              <s:dict>
                <s:key name="label">idx1</s:key>
                <s:key name="site">default</s:key>
                <s:key name="status">Up</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="restart_inactivity_timeout">0</s:key>
        <s:key name="restart_progress">
          <s:dict>
            <s:key name="done">
              <s:list/>
            </s:key>
            <s:key name="failed">
              <s:list/>
            </s:key>
            <s:key name="in_progress">
              <s:list/>
            </s:key>
            <s:key name="to_be_restarted">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="rolling_restart_flag">0</s:key>
        <s:key name="rolling_restart_or_upgrade">0</s:key>
        <s:key name="searchable_rolling">0</s:key>
        <s:key name="service_ready_flag">1</s:key>
      </s:dict>
    </content>
  </entry>

cluster/searchhead/generation

https://<host>:<mPort>/services/cluster/searchhead/generation

Access peer information in a cluster searchhead.


GET

List peers available to a cluster searchhead.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
generation_id The current generation ID for this searchhead, which is part of a cluster configuration.

The search head uses this information to determine which buckets to search across.

generation_peers List of peer nodes for the current generation in the cluster configuration for this searchhead.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clustersearchheadgeneration</title>
 <id>https://localhost:8089/services/cluster/searchhead/generation</id>
 <updated>2012-09-05T11:13:45-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>manager</title>
   <id>https://localhost:8089/services/cluster/searchhead/generation/manager</id>
   <updated>2012-09-05T11:13:45-07:00</updated>
   <link href="/services/cluster/searchhead/generation/manager" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/generation/manager" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="generation_id">2</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
           <s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
             <s:dict>
               <s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
               <s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
</feed>


cluster/searchhead/generation/{name}

https://<host>:<mPort>/services/cluster/searchhead/generation/{name}

Access peer of the manager URI.


GET

Get {name} searchhead generation ID and generation peers.


Request parameters

None

Returned values

Name Description
generation_id The current generation ID for this searchhead, which is part of a cluster configuration.

The search head uses this information to determine which buckets to search across.

generation_peers List of peer nodes for the current generation in the cluster configuration for this searchhead.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation/https%3A%252F%252Fmyserver-mbp15.sv.splunk.com%3A8989

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clustersearchheadgeneration</title>
 <id>https://localhost:53791/services/cluster/searchhead/generation</id>
 <updated>2012-09-07T14:11:59-07:00</updated>
 <generator build="136859" version="20120906"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>1</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
 <entry>
   <title>https://ronnie.splunk.com:53112</title>
   <id>https://localhost:53791/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112</id>
   <updated>2012-09-07T14:11:59-07:00</updated>
   <link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="list"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       ... eai:attributes node elided ...
       <s:key name="generation_id">3</s:key>
       <s:key name="generation_peers">
         <s:dict>
           <s:key name="33333333-3333-3333-3333-333333333333">
             <s:dict>
               <s:key name="host_port_pair">10.1.42.3:53309</s:key>
               <s:key name="peer">peer3</s:key>
             </s:dict>
           </s:key>
           <s:key name="44444444-4444-4444-4444-444444444444">
             <s:dict>
               <s:key name="host_port_pair">10.1.42.3:53411</s:key>
               <s:key name="peer">peer4</s:key>
             </s:dict>
           </s:key>
         </s:dict>
       </s:key>
     </s:dict>
   </content>
 </entry>
</feed>

cluster/searchhead/searchheadconfig

https://<host>:<mPort>/services/cluster/searchhead/searchheadconfig

Access cluster searchhead node configuration.


GET

List this cluster search head node configuration.


Request parameters

Pagination and filtering parameters can be used with this method.

Returned values
None


Example request and response

XML Request

curl -k -u   admin:pass https://localhost:8089/services/cluster/searchhead/searchheadconfig

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clustersearchheadconfig</title>
 <id>https://localhost:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-10-31T14:04:45-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>https://localhost:4567</title>
   <id>https://myserver:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
   <updated>2013-10-31T14:04:45-07:00</updated>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="manager_uri">https://localhost:4567</s:key>
       <s:key name="secret">********</s:key>
     </s:dict>
   </content>
 </entry>
</feed>


POST

Configure this server as a cluster searchhead node.


Request parameters

Name Type Description
name String Required. The URI of the manager node in the cluster.
secret String Required. Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the manager, it is not able to communicate with the manager.

Corresponds to pass4SymmKey setting in server.conf.

Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://myserver:8089/services/cluster/searchhead/searchheadconfig -d name=https://myserver:4567 -d secret=testsecret

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clustersearchheadconfig</title>
 <id>https://localhost:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-10-31T14:04:45-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>https://localhost:4567</title>
   <id>https://myserver:8089/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
   <updated>2013-10-31T14:04:45-07:00</updated>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       ... eai:acl node elided ...
       <s:key name="manager_uri">https://localhost:4567</s:key>
       <s:key name="secret">********</s:key>
     </s:dict>
   </content>
 </entry>
</feed>

cluster/searchhead/searchheadconfig/{name}

https://<host>:<mPort>/services/cluster/searchhead/searchheadconfig/{name}

Manage node in a cluster.


DELETE

Remove node from cluster.


Request parameters

None

Returned values
None


Example request and response

XML Request

curl -k -u admin:changeme  --request DELETE https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Fmyserver%3A8211


XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clustersearchheadconfig</title>
 <id>https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-11-05T14:34:42-08:00</updated>
 <generator build="184986" version="20131101"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
</feed>



GET

List cluster search head node configuration.


Request parameters

None


Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://myserver.splunk.com:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567

XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clustersearchheadconfig</title>
 <id>https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig</id>
 <updated>2013-11-05T14:43:00-08:00</updated>
 <generator build="184986" version="20131101"/>
 <author>
   <name>Splunk</name>
 </author>
 <link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
 <link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
 ... openserch nodes elided ...
 <s:messages/>
 <entry>
   <title>https://localhost:4567</title>
   <id>https://myserver.splunk.com:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
   <updated>2013-11-05T14:43:00-08:00</updated>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
   <link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="eai:acl">
         <s:dict>
           <s:key name="app"></s:key>
           <s:key name="can_list">1</s:key>
           <s:key name="can_write">1</s:key>
           <s:key name="modifiable">0</s:key>
           <s:key name="owner">system</s:key>
           <s:key name="perms">
             <s:dict>
               <s:key name="read">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
               <s:key name="write">
                 <s:list>
                   <s:item>admin</s:item>
                   <s:item>splunk-system-role</s:item>
                 </s:list>
               </s:key>
             </s:dict>
           </s:key>
           <s:key name="removable">0</s:key>
           <s:key name="sharing">system</s:key>
         </s:dict>
       </s:key>
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list>
               <s:item>manager_uri</s:item>
               <s:item>secret</s:item>
             </s:list>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="manager_uri">https://localhost:4567</s:key>
       <s:key name="secret">********</s:key>
     </s:dict>
   </content>
 </entry>
</feed>



POST

Update cluster search head node configuration.


Request parameters

Name Type Description
manager_uri String The URI of the manager node in the cluster for which this searchhead is configured.
secret String Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the manager, it is not able to communicate with the manager.

Corresponds to pass4SymmKey setting in server.conf.

Returned values
None


cluster/peer/buckets

https://<host>:<mPort>/services/cluster/peer/buckets

Access cluster peers bucket configuration.


GET

List cluster peers bucket configuration.


Request parameters

Name Type Description
generation_id String The generation ID for this peer. For each generation, the manager server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search.

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
checksum Used internally to identify this bucket.
earliest_time Indicates the time of the earliest event in this bucket.
generation_id The generation ID for this peer.
generations A sparse list of generation id to bucket primacy for the given peer.
latest_time Indicates the time for the latest event in this bucket.
search_state Indicates if the bucket is searchable or unsearchable.
status Indicates the status of this bucket. One of the following values.
Complete
The copy of this bucket contains the full complement of information.
StreamingSource
The copy of this bucket is sending data to peer nodes for replication.
StreamingTarget
The copy of this bucket is receiving replicated data.
NonStreamingTarget
This copy of a warm bucket replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError
The copy of this bucket encountered errors while streaming data.
PendingTruncate
The manager asked the peer to truncate this copy of the bucket to a certain size and is waiting for confirmation.
PendingDiscard
The manager asked the peer to discard this copy of the bucket (for whatever reason, and is waiting for confirmation.
Standalone
A bucket in the cluster that is not replicated.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/cluster/peer/buckets


XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clusterpeerbuckets</title>
 <id>https://localhost:8189/services/cluster/peer/buckets</id>
 <updated>2012-09-05T12:29:42-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</title>
   <id>https://localhost:8189/services/cluster/peer/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</id>
   <updated>2012-09-05T12:29:42-07:00</updated>
   <link href="/services/cluster/peer/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/peer/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="checksum"></s:key>
       ... eai:acl node elided ...
       <s:key name="earliest_time">1346859162</s:key>
       <s:key name="generations">
         <s:dict>
           <s:key name="0">0x0</s:key>
         </s:dict>
       </s:key>
       <s:key name="latest_time">1346859257</s:key>
       <s:key name="search_state">Searchable</s:key>
       <s:key name="status">Complete</s:key>
     </s:dict>
   </content>
 </entry>
 . . . elided ...
</feed>



cluster/peer/buckets/{name}

https://<host>:<mPort>/services/cluster/peer/buckets/{name}

Manage peer buckets.


DELETE

Remove specified bucket from peer node.


Request parameters

Name Type Description
bucket_id String Required. The identifier for the bucket to remove.


Returned values
None


Example request and response

XML Request

curl -k -u admin:pass --request DELETE https://myserver:8089/services/cluster/peer/buckets/_internal~58~11111111-1111-1111-1111-111111111111 -d bucket_id="_internal~58~11111111-1111-1111-1111-111111111111"


XML Response

<feed xmlns="http://www.w3.org/2005/Atom"

     xmlns:s="http://dev.splunk.com/ns/rest"
     xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
 <title>clusterpeerbuckets</title>
 <id>https://myserver:8089/services/cluster/peer/buckets</id>
 <updated>2013-10-31T14:48:18-07:00</updated>
 <generator build="184661" version="20131030"/>
 <author>
   <name>Splunk</name>
 </author>
 <opensearch:totalResults>0</opensearch:totalResults>
 <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
 <opensearch:startIndex>0</opensearch:startIndex>
 <s:messages/>
</feed>


GET

List peer specified bucket information.


Request parameters

Name Type Description
generation_id String The generation ID for this peer. For each generation, the manager server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search.


Returned values

Name Description
checksum Used internally to identify this bucket.
earliest_time Indicates the time of the earliest event in this bucket.
generation_id The generation ID for this peer.
generations A sparse list of generation id to bucket primacy for the given peer.
latest_time Indicates the time for the latest event in this bucket.
search_state Indicates if the bucket is Searchable or Unsearchable.
status Indicates the status of this bucket. One of the following values.
Complete
The copy of this bucket contains the full complement of information.
StreamingSource
The copy of this bucket is sending data to peer nodes for replication.
StreamingTarget
The copy of this bucket is receiving replicated data.
NonStreamingTarget
This copy of a warm bucket replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError
The copy of this bucket encountered errors while streaming data.
PendingTruncate
The manager asked the peer to truncate this copy of the bucket to a certain size and is waiting for confirmation.
PendingDiscard
The manager asked the peer to discard this copy of the bucket (for whatever reason, and is waiting for confirmation.
Standalone
A bucket in the cluster that is not replicated.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/cluster/peer/buckets/_audit~0~B8B5E5C6-DB26-4952-AFB1-C5EFEFFFEA31

XML Response

.
.
.
 <title>clusterpeerbuckets</title>
 <id>https://localhost:8189/services/cluster/peer/buckets</id>
 <updated>2012-09-05T12:40:43-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</title>
   <id>https://localhost:8189/services/cluster/peer/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</id>
   <updated>2012-09-05T12:40:43-07:00</updated>
   <link href="/services/cluster/peer/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/peer/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="checksum"></s:key>
       ... eai:acl node elided ...
       <s:key name="eai:attributes">
         <s:dict>
           <s:key name="optionalFields">
             <s:list/>
           </s:key>
           <s:key name="requiredFields">
             <s:list/>
           </s:key>
           <s:key name="wildcardFields">
             <s:list/>
           </s:key>
         </s:dict>
       </s:key>
       <s:key name="earliest_time">0</s:key>
       <s:key name="generations">
         <s:dict>
           <s:key name="0">0xffffffffffffffff</s:key>
         </s:dict>
       </s:key>
       <s:key name="latest_time">0</s:key>
       <s:key name="search_state">Searchable</s:key>
       <s:key name="status">StreamingSource</s:key>
     </s:dict>
   </content>
 </entry>


cluster/peer/control/control/decommission

https://<host>:<mPort>/services/cluster/peer/control/control/decommission

Endpoint to decommission an indexer cluster peer node.


POST

Decommission a peer node.


Returned values
None


Example request and response

XML Request

curl -k -u admin:pass https://indexer:8089/services/cluster/peer/control/control/decommission -X POST

XML Response

  <title>clusterpeercontrol</title>
  <id>https://10.141.66.19:46772/services/cluster/peer/control</id>
  <updated>2018-04-01T21:23:46+00:00</updated>
  <generator build="b233a6c1ade2" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/peer/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>



cluster/peer/control/control/re-add-peer

https://<host>:<mPort>/services/cluster/peer/control/control/re-add-peer

Set the peer to re-add itself to the manager. This syncs the peer's state, including its in-memory bucket state, to the manager. By default, this resets the peer's primary bucket copies and the manager reassigns them across the cluster. To keep the peer's existing primary bucket copies, use the optional clearMasks=false parameter.

This endpoint can be useful when the manager and the peer have a state mismatch, for example when bucket information is not in sync between them.


POST

Re-add the cluster indexer to the cluster manager.


Request parameters

Name Type Default Description
clearMasks Boolean. Use true or false. true Optional. Indicates whether the manager should reassign all primary bucket copies across all peers. The default true value prompts the manager to reassign all primary bucket copies across all peers. Use false to re-add the peer but keep the existing primary bucket copies.


Example request and response

XML Request

curl -k -u admin:changeme https://localhost:8089/services/cluster/peer/control/control/re-add-peer -d clearMasks=false -X POST

XML Response

  <title>clusterpeercontrol</title>
  <id>https://localhost:8089/services/cluster/peer/control</id>
  <updated>2015-11-06T18:08:54-08:00</updated>
  <generator build="802b4ea159bb584c629dcdb8ba57c409b1d5b7ab" version="20151030"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/cluster/peer/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>


cluster/peer/control/control/set_detention_override

https://<host>:<mPort>/services/cluster/peer/control/control/set_manual_detention


Deprecated. Use /set_manual_detention to manage peer node manual detention mode.


cluster/peer/control/control/set_manual_detention

https://<host>:<mPort>/services/cluster/peer/control/control/set_manual_detention

If you have Splunk Enterprise, you can use this endpoint to put the peer node in manual detention mode or take the peer out of this mode. In manual detention, the peer does not serve as a replication target. Detention helps slow the growth of disk usage on the peer.

Note:

  • This endpoint replaces the /set_detention_override endpoint.
  • Starting with Splunk Enterprise software version 6.5, manual detention persists through restarts.
  • For more information, see Put a peer in detention in Managing Indexers and Clusters of Indexers.


POST

Adjust cluster peer detention mode.


Request parameters

Name Type Description
manual_detention Use one of the following values.
  • off: Default. Remove the indexer from the detention state.
  • on: Put the indexer in manual detention mode. Close the TCP, UDP, and HTTP Event Collector data ports. Closing the ports causes most external data indexing to stop during detention.
  • on_ports_enabled: Put the indexer in manual detention mode. Do not close the TCP, UDP, or HTTP Event Collector data ports. The peer continues to index data during detention.
Enable or disable manual detention. Opt to close data ports or leave them open when manual detention is enabled.


Returned values
None


Example request and response

XML Request

curl -k -u admin:password https://localhost:8089/services/cluster/peer/control/control/set_manual_detention -d manual_detention=on

XML Response

.
.
.
<title>clusterpeercontrol</title>
<id>https://localhost:8089/services/cluster/peer/control</id>
<updated>2016-11-15T20:33:01-08:00</updated>
<generator build="f3ca72fbf1234a98e7a5af9d073ae698f2e64de6" version="20161115"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/peer/control/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>



cluster/peer/info

https://<host>:<mPort>/services/cluster/peer/info

Access cluster peer node information.


GET

List peer information.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
active_bundle Current bundle being used by this peer.
base_generation_id The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.

The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the manager.

invalid_bundle_ids List of bundle ids with validation errors in the peer.
is_registered Indicates if this peer is registered with the manager in the cluster.
last_heartbeat_attempt Timestamp for the last attempt to contact the manager.
latest_bundle Lists information about the most recent bundle downloaded from the manager.
restart_state Indicates whether the peer needs to be restarted to enable its cluster configuration.
status Indicates the status of the peer. One of the following values.
  • Up
  • Down
  • Pending
  • Detention
  • Restarting
  • DecommAwaitingPeer
  • DecommFixingBuckets
  • Decommissioned


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/cluster/peer/info

XML Response

.
.
.
 <title>clusterpeerinfo</title>
 <id>https://localhost:8189/services/cluster/peer/info</id>
 <updated>2012-09-05T12:45:59-07:00</updated>
 <generator build="136169" version="5.0"/>
 <author>
   <name>Splunk</name>
 </author>
 ... opensearch nodes elided ...
 <s:messages/>
 <entry>
   <title>peer</title>
   <id>https://localhost:8189/services/cluster/peer/info/peer</id>
   <updated>2012-09-05T12:45:59-07:00</updated>
   <link href="/services/cluster/peer/info/peer" rel="alternate"/>
   <author>
     <name>system</name>
   </author>
   <link href="/services/cluster/peer/info/peer" rel="list"/>
   <content type="text/xml">
     <s:dict>
       <s:key name="active_bundle">
         <s:dict>
           <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
           <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
           <s:key name="timestamp">1346858928</s:key>
         </s:dict>
       </s:key>
       <s:key name="base_generation_id">2</s:key>
       ... eai:acl node elided ...
       <s:key name="invalid_bundle_ids">
         <s:list/>
       </s:key>
       <s:key name="is_registered">1</s:key>
       <s:key name="last_heartbeat_attempt">1346874358</s:key>
       <s:key name="latest_bundle">
         <s:dict>
           <s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
           <s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
           <s:key name="timestamp">1346858928</s:key>
         </s:dict>
       </s:key>
       <s:key name="restart_state">NoRestart</s:key>
       <s:key name="status">Up</s:key>
     </s:dict>
   </content>
 </entry>


Search head cluster endpoints

The endpoints in this section pertain to search head clusters.

All endpoints contain shcluster in their URIs pertain to search head clusters. For more information about search head clustering architecture, see Search head clustering architecture in the Distributed Search manual.

replication/configuration/health

https://<host>:<mPort>/services/replication/configuration/health

Access configuration replication health statistics for a search head cluster.

GET

Access the configuration replication health statistics for a search head cluster.

Request parameters

Name Type Description
bookmark Boolean Use this parameter with a GET request on the captain. Set to 1 to list the most recent changesets that members pulled from the captain. A timestamp is also returned for each changeset.
check_share_baseline Boolean Set to 1 to check for a shared baseline among members. This parameter can be used with a request on any member, including the captain.
unpublished Boolean Set to 1 to check for unpublished changes on members. Use this parameter with a request on a member to check if the member has any changes that have not been pushed to the captain.


Returned values

Values returned depend on the request parameters used.

bookmark

Name Description
[server_name] For each [server_name] member, a changeset and timestamp are shown, indicating when the [server_name] member last pulled this set of configuration changes from the captain.

Example request and response

curl -k -u admin:pass https://localhost:8089/services/replication/configuration/health?bookmark=1

...
  <entry>
    <title>bookmark</title>
    <id>https://localhost:11089/services/replication/configuration/health/bookmark</id>
    <updated>2016-08-08T17:08:25-07:00</updated>
    <link href="/services/replication/configuration/health/bookmark" rel="alternate"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="https://localhost:11089">CaptainDummyOpId: Mon Aug  8 16:08:55 2016</s:key>
        <s:key name="https://localhost:8089">2d9e86111eb4a377c60563f93ea5274de8b9c438: Mon Aug  8 17:08:22 2016</s:key>
        <s:key name="https://localhost:9089">2d9e86111eb4a377c60563f93ea5274de8b9c438: Mon Aug  8 17:08:22 2016</s:key>
      </s:dict>
    </content>
  </entry>



check_share_baseline

Application usage
This parameter compares the baseline between the current instance, on which the GET request is made, with the baseline of other members. From each of the other members, the system retrieves the oldest changeset that is not more than 23 hours old and therefore safe from purging. The system then tries to find that changeset in the current instance's local changeset repository. If the changeset is found in the local repository, then the current instance and the member share a baseline.

Establishing a shared baseline between a captain and members is a prerequisite for successful configuration replication.

Name Description
check_share_baseline One of the following values is returned for each of the other members.

Yes: The current instance shares a baseline with this node.

No: The current instance node does not share a baseline with this node.

Connection error: The current instance cannot contact this node. A warning is logged with additional details.

server_name Name for the member whose baseline is being compared to the current instance.

Example request and response

curl -k -u admin:pass https://localhost:11089/services/replication/configuration/health?check_share_baseline=1

...
  <title>health</title>
  <id>https://localhost:11089/services/replication/configuration/health</id>
  <updated>2016-08-09T15:51:06-07:00</updated>
  <generator build="99005df760a86096252bb6b287ad7a6f3149a218" version="20160805"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>https://localhost:8089</title>
    <id>https://localhost:11089/services/replication/configuration/health/https%3A%2F%2Flocalhost%3A8089</id>
    <updated>2016-08-09T15:51:06-07:00</updated>
    <link href="/services/replication/configuration/health/https%3A%2F%2Flocalhost%3A8089" rel="alternate"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="check_share_baseline">Yes</s:key>
        <s:key name="server_name">yxu-mbp15-node2</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>https://localhost:9089</title>
    <id>https://localhost:11089/services/replication/configuration/health/https%3A%2F%2Flocalhost%3A9089</id>
    <updated>2016-08-09T15:51:06-07:00</updated>
    <link href="/services/replication/configuration/health/https%3A%2F%2Flocalhost%3A9089" rel="alternate"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="check_share_baseline">Yes</s:key>
        <s:key name="server_name"> localhost-node3</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>https://localhost:11089</title>
    <id>https://localhost:11089/services/replication/configuration/health/https%3A%2F%2Flocalhost%3A11089</id>
    <updated>2016-08-09T15:51:06-07:00</updated>
    <link href="/services/replication/configuration/health/https%3A%2F%2Flocalhost%3A11089" rel="alternate"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="check_share_baseline">Yes</s:key>
        <s:key name="server_name"> localhost-node1</s:key>
      </s:dict>
    </content>
  </entry>
...


unpublished

A Number of unpublished changes key is returned with one of the following values.

Name Description
0 All changes on this cluster member have been pushed to the captain. There are no unpublished changes on this member.
0 (This instance is the captain) This message is returned when requesting unpublished status on the captain. The captain is always in sync with itself, so there are no unpublished changes.
[Number greater than 0] The number unpublished local changes on this member. Changes are held until the next replication occurs. The node is still healthy in this case.
No captain is available The search head cluster does not currently have a captain.
Missing common baseline with the captain This member might be out of sync with the captain if this message persists after several replication periods.

This message can also appear during a transition period, for example, when a captain is switched or a member is manually resynced. On a healthy search head cluster, the unpublished value should return to a numeric value after one replication period.


Example request and response

curl -k -u admin:pass https://localhost:11089/services/replication/configuration/health?unpublished=1

<title>health</title>
  <id>https://localhost:8089/services/replication/configuration/health</id>
  <updated>2016-08-09T13:14:16-07:00</updated>
  <generator build="99005df760a86096252bb6b287ad7a6f3149a218" version="20160805"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>unpublished</title>
    <id>https://localhost:8089/services/replication/configuration/health/unpublished</id>
    <updated>2016-08-09T13:14:16-07:00</updated>
    <link href="/services/replication/configuration/health/unpublished" rel="alternate"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="Number of unpublished changes">0</s:key>
      </s:dict>
    </content>
  </entry>


shcluster/captain/artifacts

https://<host>:<mPort>/services/shcluster/captain/artifacts

Provides list of artifacts and replicas currently managed by the captain across a searchhead cluster.

This endpoint can only be accessed on the captain. The response lists all artifacts that are currently resident on the set of search head cluster members.

An artifact in search head clustering is a managed search directory. Currently, only scheduled search results directories are managed and replicated according to replication policy.

Note: Ad hoc searches are not considered artifacts and are not listed.


GET

Lists searchhead cluster artifacts and replicas.


Request parameters

Name Type Description
remote_sids Bool Required. Set this to true to return the searches that the captain is seeing. Will include adhoc searches on remote members.


Returned values

Name Description
artifact_size Artifact size, in bytes.
origin_guid Guid of the origin peer where this artifact was created/search was run.
peers Lists information about replicas of this artifact on members of this searchhead cluster.
service_after_time Artifact service/fixup is deferred until after this time.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/artifacts

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainartifacts</title>
  <id>https://localhost:8089/services/shcluster/captain/artifacts</id>
  <updated>2014-10-15T08:44:41-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/artifacts/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">282624</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">282624</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">253952</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:44:41-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">253952</s:key>
        ... eai:acl node elided ...
        <s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="88888888-8888-8888-8888-888888888888">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="99999999-9999-9999-9999-999999999999">
              <s:dict>
                <s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="service_after_time">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/artifacts/{name}

https://<host>:<mPort>/services/shcluster/captain/artifacts/{name}

Get artifact information for a specific artifact.


GET

Get artifact information, size, replicas and earliest service time.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name ! Description
artifact_size Artifact size, in bytes.
origin_guid Guid of the origin peer where this artifact was created.
peers Lists information about artifacts on members of this captain.
service_after_time Artifact service is deferred until after this time.


Example request and response

XML Request

curl -k -u admin:pass https://locahost:8089/services/shcluster/captain/artifacts/scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111

XML Response


  <title>shclustercaptainartifacts</title>
  <id>https://localhost:8089/services/shcluster/captain/artifacts</id>
  <updated>2016-07-22T13:39:03-07:00</updated>
  <generator build="d6d01722fce508a9e2f032d36d8d6a445b7d6292" version="20160721"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/artifacts/_new" rel="create"/>
  <link href="/services/shcluster/captain/artifacts/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111</title>
    <id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111</id>
    <updated>2016-07-22T13:39:03-07:00</updated>
    <link href="/services/shcluster/captain/artifacts/scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/artifacts/scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111" rel="list"/>
    <link href="/services/shcluster/captain/artifacts/scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="artifact_size">77824</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl.app">simplexml</s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="label">timechart_scheduled</s:key>
        <s:key name="origin_guid">11111111-1111-1111-1111-111111111111</s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="11111111-1111-1111-1111-111111111111">
              <s:dict>
                <s:key name="directory_path">/home/user/home_1/var/run/splunk/dispatch/scheduler__nobody__simplexml__RMD5dc07327042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
            <s:key name="33333333-3333-3333-3333-333333333333">
              <s:dict>
                <s:key name="directory_path">/home/user/home_3/var/run/splunk/dispatch/rsa_scheduler__nobody__simplexml__RMD5dc07359042a35a17_at_1469214000_37_11111111-1111-1111-1111-111111111111</s:key>
                <s:key name="status">Complete</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="perms">read : [ *, splunk-system-user ], write : [ admin, power, splunk-system-user ]</s:key>
        <s:key name="service_after_time">0</s:key>
        <s:key name="user">splunk-system-user</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/control/default/restart

https://<host>:<mPort>/services/shcluster/captain/control/default/restart

Endpoint to initiate rolling restart of a search head cluster.


POST

Initiates rolling restart of a search head cluster


Request parameters

Name Type Description
searchable Boolean Maintain high search availability during a rolling restart.
force Boolean Override health check failures to continue searchable rolling restart.
decommission_search_jobs_wait_secs Integer Maximum time in secs that searchable rolling restart waits

for existing searches to finish. Default: 180 secs.


Returned values
None


Example request and response

XML Request

curl -k -u admin:password  https://localhost:8089/services/shcluster/captain/control/default/restart -d searchable=1 -d force=1 -d decommission_search_jobs_wait_secs=30 -X POST

XML Response


<title>shclustercaptaincontrol</title>
  <id>https://10.222.21.58:8089/services/shcluster/captain/control</id>
  <updated>2018-03-29T12:08:09-07:00</updated>
  <generator build="d75793dbca24" version="7.1.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/control/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Restart of search head cluster members initiated.</s:msg>
  </s:messages>
  <entry>
    <title>restart</title>
    <id>https://10.222.21.58:8089/services/shcluster/captain/control/restart</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/shcluster/captain/control/restart" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/control/restart" rel="list"/>
    <link href="/services/shcluster/captain/control/restart" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="msg">Searchable rolling restarted cannot be started without captain status = Up, check status through "splunk show shcluster-status".</s:key>
        <s:key name="success">0</s:key>
      </s:dict>
    </content>
  </entry>



shcluster/captain/control/control/rotate-splunk-secret

https://<host>:<mPort>/services/shcluster/captain/control/control/rotate-splunk-secret

Rotates the splunk.secret file on all nodes of a search head cluster.

POST

Rotates the splunk.secret file on all nodes of a search head cluster.


Returned values
None


Example request and response

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/shcluster/captain/control/control/rotate-splunk-secret -X POST

XML Response



shcluster/captain/control/control/upgrade-init

https://<host>:<mPort>/services/shcluster/captain/control/control/upgrade-init

Initializes a search head cluster rolling upgrade.


POST

Initializes a search head cluster rolling upgrade.


Returned values
None


Example request and response

XML Request

curl -k -u admin:changeme  https://localhost:8089/services/shcluster/captain/control/control/upgrade-init -X POST

XML Response


  <title>shclustercaptaincontrol</title>
  <id>https://10.222.21.58:8089/services/shcluster/captain/control</id>
  <updated>2018-03-29T12:02:54-07:00</updated>
  <generator build="d75793dbca24" version="7.1.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/control/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Upgrade of search head cluster members initiated.</s:msg>
  </s:messages>
  <entry>
    <title>upgrade-init</title>
    <id>https://10.222.21.58:8089/services/shcluster/captain/control/upgrade-init</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/shcluster/captain/control/upgrade-init" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/control/upgrade-init" rel="list"/>
    <link href="/services/shcluster/captain/control/upgrade-init" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="success">1</s:key>
        <s:key name="upgrade">yes</s:key>
      </s:dict>
    </content>
  </entry>

shcluster/captain/control/control/upgrade-finalize

https://<host>:<mPort>/services/shcluster/captain/control/control/upgrade-finalize

Finishes a search head cluster rolling upgrade.


POST

Finishes a search head cluster rolling upgrade.


Returned values
None


Example request and response

XML Request

curl -k -u admin:changeme   https://localhost:8089/services/shcluster/captain/control/control/upgrade-finalize -X POST

XML Response


<title>shclustercaptaincontrol</title>
  <id>https://10.222.21.58:8089/services/shcluster/captain/control</id>
  <updated>2018-03-29T12:06:47-07:00</updated>
  <generator build="d75793dbca24" version="7.1.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/control/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages>
    <s:msg type="INFO">Upgrade of search head cluster members finalized.</s:msg>
  </s:messages>
  <entry>
    <title>upgrade-finalize</title>
    <id>https://10.222.21.58:8089/services/shcluster/captain/control/upgrade-finalize</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/shcluster/captain/control/upgrade-finalize" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/control/upgrade-finalize" rel="list"/>
    <link href="/services/shcluster/captain/control/upgrade-finalize" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="success">1</s:key>
        <s:key name="upgrade">no</s:key>
      </s:dict>
    </content>
  </entry>



shcluster/captain/info

https://<host>:<mPort>/services/shcluster/captain/info

Access information about searchhead cluster captain node.


GET

List searchhead cluster captain node details.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
elected_captain Time when the current captain was elected
id Id of this SH cluster. This is used as the unique identifier for the Search Head Cluster in bundle replication and acceleration summary management.
initialized_flag Indicates if the searchhead cluster is initialized.
label The name for the captain. Displayed on the Splunk Web manager page.
maintenance_mode Indicates if the cluster is in maintenance mode.
min_peers_joined_flag Flag to indicate if more then replication_factor peers have joined the cluster.
peer_scheme_host_port URI of the current captain.
rolling_restart_flag Indicates whether the captain is restarting the members in a searchhead cluster.
service_ready_flag Indicates whether the captain is ready to begin servicing, based on whether it is initialized.
start_time Timestamp corresponding to the creation of the captain.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/shcluster/captain/info

XML Response


<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptaininfo</title>
  <id>https://localhost:8089/services/shcluster/captain/info</id>
  <updated>2014-10-15T08:45:25-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>captain</title>
    <id>https://localhost:8089/services/shcluster/captain/info/captain</id>
    <updated>2014-10-15T08:45:25-07:00</updated>
    <link href="/services/shcluster/captain/info/captain" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/info/captain" rel="list"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="elected_captain">1413307273</s:key>
        <s:key name="id">BB3116C0-73B9-459A-B473-254A18A69776</s:key>
        <s:key name="initialized_flag">1</s:key>
        <s:key name="label">searchhead</s:key>
        <s:key name="maintenance_mode">0</s:key>
        <s:key name="min_peers_joined_flag">1</s:key>
        <s:key name="peer_scheme_host_port">https://localhost:55569</s:key>
        <s:key name="rolling_restart_flag">0</s:key>
        <s:key name="service_ready_flag">1</s:key>
        <s:key name="start_time">1413307203</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/jobs

https://<host>:<mPort>/services/shcluster/captain/jobs

List running and recently finished jobs for all cluster members.


GET

List running and recently finished jobs for this cluster.


Request parameters

Pagination and filtering parameters can be used with this method.

Returned values
For each job:

Name Description
ATTEMPT_[n] dispatch_time - The UTC time of dispatch for the job
errormsg - If the job failed, capturing the reason for failure
peer - GUID of the member that the job was sent to
sid - the search id of this attempt
success - a boolean for success/failure of the job
job_state Job State can be SCHEDULED/DISPATCHED/COMPLETED. A SCHEDULED job has been received by the captain from the scheduler to schedule. A DISPATCHED job has started to run on a remote member. A COMPLETED job has finished running on the remote member.
saved_search The name of the saved-search from the associated savedsearches.conf file.
savedsearchtype The scheduler manages three kinds of scheduled jobs, regular savedsearch for both realtime and historical, autosummary report acceleration build searches, and tsidx tsidx build searches.
search_app The application in which the savedsearch was created.
search_owner The owner of the saved search.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8089/services/shcluster/captain/jobs

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainjobs</title>
  <id>https://localhost:8089/services/shcluster/captain/jobs</id>
  <updated>2014-10-15T08:47:50-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/jobs/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>savedsearch_Alert - syslog errors last hour_1087026166</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166</id>
    <updated>2014-10-15T08:47:50-07:00</updated>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ATTEMPT_1">
          <s:dict>
            <s:key name="dispatch_time">1413363600</s:key>
            <s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Application does not exist: SA-nix</msg>
  </messages>
</response>
'</s:key>
            <s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
            <s:key name="sid">NO_SID_RECEIVED_YET</s:key>
            <s:key name="success">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="ATTEMPT_2">
          <s:dict>
            <s:key name="dispatch_time">1413363600</s:key>
            <s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="sid">scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413363600_203_88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="success">1</s:key>
          </s:dict>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="saved_search">Alert - syslog errors last hour</s:key>
        <s:key name="savedsearchtype">savedsearch</s:key>
        <s:key name="search_app">SA-nix</s:key>
        <s:key name="search_owner">admin</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>savedsearch_Alert - syslog errors last hour_11648853</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853</id>
    <updated>2014-10-15T08:47:50-07:00</updated>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ATTEMPT_1">
          <s:dict>
            <s:key name="dispatch_time">1413316800</s:key>
            <s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Application does not exist: SA-nix</msg>
  </messages>
</response>
'</s:key>
            <s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
            <s:key name="sid">NO_SID_RECEIVED_YET</s:key>
            <s:key name="success">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="ATTEMPT_2">
          <s:dict>
            <s:key name="dispatch_time">1413316800</s:key>
            <s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="sid">scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413316800_34_88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="success">1</s:key>
          </s:dict>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="saved_search">Alert - syslog errors last hour</s:key>
        <s:key name="savedsearchtype">savedsearch</s:key>
        <s:key name="search_app">SA-nix</s:key>
        <s:key name="search_owner">admin</s:key>
      </s:dict>
    </content>
  </entry>
      .
      .
      .
<entry>
    <title>savedsearch_fired_alerts_1050236433</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433</id>
    <updated>2014-10-15T08:47:50-07:00</updated>
    <link href="/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="ATTEMPT_1">
          <s:dict>
            <s:key name="dispatch_time">1413308100</s:key>
            <s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Application does not exist: SA-nix</msg>
  </messages>
</response>
'</s:key>
            <s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
            <s:key name="sid">NO_SID_RECEIVED_YET</s:key>
            <s:key name="success">0</s:key>
          </s:dict>
        </s:key>
        <s:key name="ATTEMPT_2">
          <s:dict>
            <s:key name="dispatch_time">1413308100</s:key>
            <s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="sid">scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413308100_2_88888888-8888-8888-8888-888888888888</s:key>
            <s:key name="success">1</s:key>
          </s:dict>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="saved_search">fired_alerts</s:key>
        <s:key name="savedsearchtype">savedsearch</s:key>
        <s:key name="search_app">SA-nix</s:key>
        <s:key name="search_owner">admin</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/jobs/{name}

https://<host>:<mPort>/services/shcluster/captain/jobs/{name}


GET

Get running and recently finished jobs for {name} cluster.


Request parameters

Pagination and filtering parameters can be used with this method.

Returned values

Name Description
ATTEMPT_[n] dispatch_time - The UTC time of dispatch for the job
errormsg - If the job failed, capturing the reason for failure
peer - GUID of the member that the job was sent to
sid - the search id of this attempt
success - a boolean for success/failure of the job
job_state Job State can be SCHEDULED/DISPATCHED/COMPLETED. A SCHEDULED job has been received by the captain from the scheduler to schedule. A DISPATCHED job has started to run on a remote member. A COMPLETED job has finished running on the remote member.
saved_search The name of the saved-search from the associated savedsearches.conf file.
savedsearchtype The scheduler manages three kinds of scheduled jobs, regular savedsearch for both realtime and historical, autosummary report acceleration build searches, and tsidx tsidx build searches.
search_app The application in which the savedsearch was created.
search_owner The owner of the saved search.


Example request and response
XML Request

curl -k -u admin:pass https://localhost:8089/services/shcluster/captain/jobs/scheduled_sample%20scheduled%20search%20for%20dashboards%20%28existing%20job%20case%29%20timechart_12944444515

XML Response

  <title>shclustercaptainjobs</title>
  <id>https://localhost:8089/services/shcluster/captain/jobs</id>
  <updated>2016-07-22T13:56:18-07:00</updated>
  <generator build="d6d01722fce508a9e2f032d36d8d6a445b7d6292" version="20160721"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/jobs/_new" rel="create"/>
  <link href="/services/shcluster/captain/jobs/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>scheduled_sample scheduled search for dashboards (existing job case) timechart_1290934515</title>
    <id>https://localhost:8089/services/shcluster/captain/jobs/scheduled_sample%20scheduled%20search%20for%20dashboards%20%28existing%20job%20case%29%20timechart_1290934515</id>
    <updated>2016-07-22T13:56:18-07:00</updated>
    <link href="/services/shcluster/captain/jobs/scheduled_sample%20scheduled%20search%20for%20dashboards%20%28existing%20job%20case%29%20timechart_1294444515" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/jobs/scheduled_sample%20scheduled%20search%20for%20dashboards%20%28existing%20job%20case%29%20timechart_12904444515" rel="list"/>
    <link href="/services/shcluster/captain/jobs/scheduled_sample%20scheduled%20search%20for%20dashboards%20%28existing%20job%20case%29%20timechart_12909444515" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="dispatch_time">1469214120</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list/>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="job_state">COMPLETED</s:key>
        <s:key name="peer">11111111-1111-1111-1111-111111111111</s:key>
        <s:key name="peer_scheme_host_port">https://wimpy:13221</s:key>
        <s:key name="peer_servername">home-1</s:key>
        <s:key name="saved_search">sample scheduled search for dashboards (existing job case) timechart</s:key>
        <s:key name="savedsearchtype">scheduled</s:key>
        <s:key name="search_app">testing</s:key>
        <s:key name="search_owner">nobody</s:key>
        <s:key name="sid">scheduler__nobody__testing__RMD5058c22ce2c07889b_at_1469214120_39_11111111-1111-1111-1111-111111111111</s:key>
        <s:key name="success">1</s:key>
      </s:dict>
    </content>
  </entry>


shcluster/captain/members

https://<host>:<mPort>/services/shcluster/captain/members

Lists the search head cluster members.


GET

List cluster members.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
adhoc_searchhead Flag to indicate if this member does not run scheduled searches.
advertise_restart_required Flag to indicate if this peer advertised that it needed a restart.
artifact_count Number of artifacts on this peer
delayed_artifacts_to_discard List of artifacts waiting to be deleted from this peer.
fixup_set N/A
host_port_pair The host and management port advertised by this peer.
kv_store_host_port Host and port of the kv store instance of this member.
label The name for this member. Displayed on the Splunk Web manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer
peer_scheme_host_port URI of the current captain.
pending_job_count Used by the captain to keep track of pending jobs requested by the captain to this member.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
site N/A
status Indicates the status of the member. Possible values are the following.
  • Up
  • Pending
  • AutomaticDetention
  • ManualDetention-PortsEnabled
  • ManualDetention
  • Restarting
  • ShuttingDown
  • ReassigningPrimaries
  • Decommissioning
  • GracefulShutdown
  • Stopped
  • Down
  • BatchAdding
status_counter Lists the number of buckets on the peer for each bucket status. Possible values are the following.
Complete
Complete (warm/cold) bucket
NonStreamingTarget
Target of replication for already completed (warm/cold) bucket
PendingTruncate
Bucket pending truncation
PendingDiscard
Bucket pending discard
Standalone
Bucket that is not replicated
StreamingError
Copy of streaming bucket where some error was encountered
StreamingSource
Streaming hot bucket on source side
StreamingTarget
Streaming hot bucket copy on target side
Unset
Uninitialized


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/shcluster/captain/members

XML Response


<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainmembers</title>
  <id>https://localhost:8089/services/shcluster/captain/members</id>
  <updated>2014-10-15T08:49:34-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/members/_new" rel="create"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:49:34-07:00</updated>
    <link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="adhoc_searchhead">0</s:key>
        <s:key name="advertise_restart_required">0</s:key>
        <s:key name="artifact_count">4</s:key>
        <s:key name="delayed_artifacts_to_discard">
          <s:list/>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">localhost:8089</s:key>
        <s:key name="kv_store_host_port">?</s:key>
        <s:key name="label">searchhead</s:key>
        <s:key name="last_heartbeat">1413388171</s:key>
        <s:key name="peer_scheme_host_port">https://localhost:8089</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="replication_count">0</s:key>
        <s:key name="replication_port">3456</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="site">site2</s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">4</s:key>
            <s:key name="PendingDiscard">0</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>99999999-9999-9999-9999-999999999999</title>
    <id>https://localhost:8089/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999</id>
    <updated>2014-10-15T08:49:34-07:00</updated>
    <link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="list"/>
    <link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="adhoc_searchhead">0</s:key>
        <s:key name="advertise_restart_required">0</s:key>
        <s:key name="artifact_count">4</s:key>
        <s:key name="delayed_artifacts_to_discard">
          <s:list/>
        </s:key>
        ... eai:acl node elided ...
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">wimpy.splunk.com:55560</s:key>
        <s:key name="kv_store_host_port">?</s:key>
        <s:key name="label">manager</s:key>
        <s:key name="last_heartbeat">1413388171</s:key>
        <s:key name="peer_scheme_host_port">https://wimpy.splunk.com:55560</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="replication_count">0</s:key>
        <s:key name="replication_port">55570</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="site">site1</s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">4</s:key>
            <s:key name="NonStreamingTarget">0</s:key>
            <s:key name="PendingDiscard">0</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/captain/members/{name}

https://<host>:<mPort>/services/shcluster/captain/members/{name}

Get information about the {name} searchhead cluster member.


GET

Get information about the {name} searchhead cluster member.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
adhoc_searchhead Flag to indicate if this member does not run scheduled searches.
advertise_restart_required Flag to indicate if this peer advertised that it needed a restart.
artifact_count Number of artifacts on this peer.
delayed_artifacts_to_discard List of artifacts waiting to be deleted from this peer.
fixup_set N/A
host_port_pair The host and management port advertised by this peer.
kv_store_host_port Host and port of the kv store instance of this member.
label The name for this member. Displayed on the Splunk Web manager page.
last_heartbeat Timestamp for last heartbeat recieved from the peer
peer_scheme_host_port URI of the current captain.
pending_job_count Used by the manager to keep track of pending jobs requested by the manager to this peer.
replication_count Number of replications this peer is part of, as either source or target.
replication_port TCP port to listen for replicated data from another cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
site N/A
status Indicates the status of the member.

Possible values are the following.

  • Up
  • Pending
  • AutomaticDetention
  • ManualDetention-PortsEnabled
  • ManualDetention
  • Restarting
  • ShuttingDown
  • ReassigningPrimaries
  • Decommissioning
  • GracefulShutdown
  • Stopped
  • Down
  • BatchAdding
status_counter Lists the number of buckets on the peer for each bucket status. Possible values are the following.
Complete
Complete (warm/cold) bucket
NonStreamingTarget
Target of replication for already completed (warm/cold) bucket
PendingTruncate
Bucket pending truncation
PendingDiscard
Bucket pending discard
Standalone
Bucket that is not replicated
StreamingError
Copy of streaming bucket where some error was encountered
StreamingSource
Streaming hot bucket on source side
StreamingTarget
Streaming hot bucket copy on target side
Unset
Uninitialized


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8089/services/shcluster/captain/members/33333333-3333-3333-3333-333333333333

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustercaptainmembers</title>
  <id>https://wimpy:13221/services/shcluster/captain/members</id>
  <updated>2016-07-22T14:12:50-07:00</updated>
  <generator build="d6d01722fce508a9e2f032d36d8d6a445b7d6292" version="20160721"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/captain/members/_new" rel="create"/>
  <link href="/services/shcluster/captain/members/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>33333333-3333-3333-3333-333333333333</title>
    <id>https://localhost:8089/services/shcluster/captain/members/33333333-3333-3333-3333-333333333333</id>
    <updated>2016-07-22T14:12:50-07:00</updated>
    <link href="/services/shcluster/captain/members/33333333-3333-3333-3333-333333333333" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/captain/members/33333333-3333-3333-3333-333333333333" rel="list"/>
    <link href="/services/shcluster/captain/members/33333333-3333-3333-3333-333333333333" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="adhoc_searchhead">0</s:key>
        <s:key name="advertise_restart_required">0</s:key>
        <s:key name="artifact_count">6</s:key>
        <s:key name="delayed_artifacts_to_discard">
          <s:list/>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>advertise_restart_required</s:item>
                <s:item>advertise_restart_required_reason</s:item>
                <s:item>alert_csv</s:item>
                <s:item>alert_csv_epoch</s:item>
                <s:item>artifacts_location_csv</s:item>
                <s:item>completed_summaries</s:item>
                <s:item>last_oaep</s:item>
                <s:item>last_osep</s:item>
                <s:item>partial_alert_delta</s:item>
                <s:item>partial_suppression_delta</s:item>
                <s:item>peer_load_stats_gla_15m</s:item>
                <s:item>peer_load_stats_gla_1m</s:item>
                <s:item>peer_load_stats_gla_5m</s:item>
                <s:item>peer_load_stats_max_runtime</s:item>
                <s:item>peer_load_stats_num_autosummary</s:item>
                <s:item>peer_load_stats_num_historical</s:item>
                <s:item>peer_load_stats_num_realtime</s:item>
                <s:item>peer_load_stats_num_running</s:item>
                <s:item>peer_load_stats_total_runtime</s:item>
                <s:item>peer_pid</s:item>
                <s:item>scheduler_disabled</s:item>
                <s:item>suppression_csv</s:item>
                <s:item>suppression_csv_epoch</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list>
                <s:item>last_artifact_log_entry_processed</s:item>
                <s:item>last_si_entry_processed</s:item>
                <s:item>mgmt_port</s:item>
                <s:item>peer_load_stats</s:item>
                <s:item>queue_blocked_count</s:item>
              </s:list>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="fixup_set">
          <s:list/>
        </s:key>
        <s:key name="host_port_pair">wimpy:13223</s:key>
        <s:key name="is_captain">0</s:key>
        <s:key name="kv_store_host_port">wimpy:18323</s:key>
        <s:key name="label">wimpy-3</s:key>
        <s:key name="last_heartbeat">1469221966</s:key>
        <s:key name="mgmt_uri">https://wimpy:13223</s:key>
        <s:key name="no_artifact_replications">0</s:key>
        <s:key name="peer_scheme_host_port">https://wimpy:13223</s:key>
        <s:key name="pending_job_count">0</s:key>
        <s:key name="preferred_captain">1</s:key>
        <s:key name="replication_count">0</s:key>
        <s:key name="replication_port">12243</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="site">default</s:key>
        <s:key name="status">Up</s:key>
        <s:key name="status_counter">
          <s:dict>
            <s:key name="Complete">6</s:key>
            <s:key name="NonStreamingTarget">0</s:key>
            <s:key name="PendingDiscard">0</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/config

https://<host>:<mPort>/services/shcluster/config

List search head cluster node configuration.


GET

List search head cluster node configuration.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values

Name Description
cxn_timeout Low-level timeout, in seconds, for establishing connection between searchhead cluster nodes. Defaults to 60 seconds.
disabled Indicates if this node is disabled.
heartbeat_period Only valid for member nodes in a searchhead cluster. The time, in seconds, that a member attempts to send a heartbeat to the captain
heartbeat_timeout Only valid for the captain node in a searchhead cluster configuration. The time, in seconds, before a captain considers a member down. Once a member is down, the captain initiates steps to replicate artifacts from the dead member to its live members. Defaults to 60 seconds.
id Id of the SH cluster this member is a part of.
max_peer_rep_load Maximum number of replications that can be ongoing as a target.
mode Valid values: (disabled, member, captain, dynamic_captain) Defaults to disabled. Multiple values are permitted.

Sets operational mode for this searchhead cluster node. Only one captain may exist per searchhead cluster.

percent_peers_to_restart Percentage of peers to restart at the same time when doing a rolling restart.
ping_flag For internal use to facilitate communication between the captain and members.
quiet_period The time, in seconds, that a captain waits for members to add themselves to the searchhead cluster.
rcv_timeout Low-level timeout, in seconds, for receiving data between searchhead cluster nodes. Defaults to 60 seconds.
register_replication_address Valid only for nodes configured as members. The address on which a member is available for accepting replication data. This is useful in the cases where a member host machine has multiple interfaces and only one of them can be reached by another splunkd instance.
rep_cxn_timeout Low-level timeout, in seconds, for establishing a connection for replicating data.
rep_max_rcv_timeout Maximum cumulative time, in seconds, for receiving acknowledgement data from members. Defaults to 600s.
rep_max_send_timeout Maximum time, in seconds, for sending replication slice data between searchhead cluster nodes. Defaults to 600s.
rep_rcv_timeout Low-level timeout, in seconds, for receiving data between searchhead cluster nodes.
rep_send_timeout Low-level timeout, in seconds, for sending replication data between searchhead cluster nodes. Defaults to 5 seconds.
replication_factor Only valid for nodes configured as a captain.

Determines how many copies of raw data are created in the searchhead cluster. This could be less than the number of searchhead cluster members.

Must be greater than 0 and greater than or equal to the search factor. Defaults to 3.

replication_port TCP port to listen for replicated data from another searchhead cluster member.
replication_use_ssl Indicates whether to use SSL when sending replication data.
restart_timeout Only valid for nodes configured as a captain. The amount of time, in seconds, the captain waits for a member to come back when the member is restarted (to avoid the overhead of trying to fix the artifacts that were on the member). Defaults to 600 seconds.

Note: This only works if the member is restarted from Splunk Web.

secret Secret shared among the nodes in the searchhead cluster to prevent any arbitrary node from connecting to the searchhead cluster. If a member or searchhead is not configured with the same secret as the captain, it is not able to communicate with the captain.

Corresponds to pass4SymmKey setting in server.conf.

send_timeout Low-level timeout, in seconds, for sending data between searchhead cluster nodes. Defaults to 60 seconds.


Example request and response


XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/config

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclusterconfig</title>
  <id>https://localhost:8089/services/shcluster/config</id>
  <updated>2014-10-15T08:50:47-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/config/_reload" rel="_reload"/>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>config</title>
    <id>https://localhost:8089/services/shcluster/config/config</id>
    <updated>2014-10-15T08:50:47-07:00</updated>
    <link href="/services/shcluster/config/config" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/config/config" rel="list"/>
    <link href="/services/shcluster/config/config/_reload" rel="_reload"/>
    <link href="/services/shcluster/config/config" rel="edit"/>
    <link href="/services/shcluster/config/config/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="cxn_timeout">60</s:key>
        <s:key name="disabled">0</s:key>
        ... eai:acl node elided ...
        <s:key name="heartbeat_period">5</s:key>
        <s:key name="heartbeat_timeout">60</s:key>
        <s:key name="id">BB3116C0-73B9-459A-B473-254A18A69776</s:key>
        <s:key name="max_peer_rep_load">5</s:key>
        <s:key name="mode">dynamic_captain</s:key>
        <s:key name="percent_peers_to_restart">10</s:key>
        <s:key name="ping_flag">1</s:key>
        <s:key name="quiet_period">60</s:key>
        <s:key name="rcv_timeout">60</s:key>
        <s:key name="register_replication_address"></s:key>
        <s:key name="rep_cxn_timeout">60</s:key>
        <s:key name="rep_max_rcv_timeout">600</s:key>
        <s:key name="rep_max_send_timeout">600</s:key>
        <s:key name="rep_rcv_timeout">60</s:key>
        <s:key name="rep_send_timeout">60</s:key>
        <s:key name="replication_factor">2</s:key>
        <s:key name="replication_port">3456</s:key>
        <s:key name="replication_use_ssl">0</s:key>
        <s:key name="restart_timeout">60</s:key>
        <s:key name="secret">********</s:key>
        <s:key name="send_timeout">60</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/config/config

https://<host>:<mPort>/services/shcluster/config/config

Configure search head cluster members.


POST

Configure search head cluster members.

Request parameters

Name Type Description
rolling_restart String Sets the mode for search head cluster rolling restart. Options include:
  • restart: Initiates a rolling restart in classic mode (no guarantee of search continuity).
  • searchable: Initiates a rolling restart with minimum search interruption.
decommission_search_jobs_wait_secs Integer Specifies the amount of time, in seconds, that a search head cluster member waits for existing searches to complete before restarting. Default: 180 secs.
manual_detention Use one of the following values:
  • off: Default. Remove the target search head from the detention state.
  • on: Put the target search head in manual detention mode.
Specifies whether to put the cluster member in manual detention.
target_uri String Specifies the target node you want to put in manual detention.

Returned values
None

Example request and response

XML Request

curl -k -u admin:changed https://10.140.127.233:8089/services/shcluster/config/config -d rolling_restart=searchable -d decommission_search_jobs_wait_secs=120

XML Response

http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTcluster

Example request and response for manual detention of a cluster member

XML Request

curl -k -u admin:changedpwd https://fool01.sv.splunk.com:8095/services/shcluster/config/config -d manual_detention=on -d target_uri=https://test.sv.splunk.com:8080

XML Response

<title>shclusterconfig</title>
  <id>https://10.140.127.233:8089/services/shcluster/config</id>
  <updated>2018-04-02T16:16:08-07:00</updated>
  <generator build="6a9fda63434" version="7.1.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/config/_reload" rel="_reload"/>
  <link href="/services/shcluster/config/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>

shcluster/member/artifacts

https://<host>:<mPort>/services/shcluster/member/artifacts

Manage searchhead cluster member artifact configuration.


GET

List searchhead cluster members artifact configuration.


Request parameters

Pagination and filtering parameters can be used with this method.

Returned values
For each member:

Name Description
status Indicates the status of this artifact. Possible values are as follows.
Complete
The copy of this artifact contains the full complement of information.
StreamingSource
The copy of this artifact is sending data to member nodes for replication.
StreamingTarget
The copy of this artifact is receiving replicated data.
NonStreamingTarget
This copy of a warm artifact replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError
The copy of this artifact encountered errors while streaming data.
PendingTruncate
The captain asked the member to truncate this copy of the artifact to a certain size and is waiting for confirmation.
PendingDiscard
The captain asked the member to discard this copy of the artifact and is waiting for confirmation.
Standalone
An artifact in the searchhead cluster that is not replicated.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/artifacts

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberartifacts</title>
  <id>https://localhost:8089/services/shcluster/member/artifacts</id>
  <updated>2014-10-15T08:51:46-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888</title>
    <id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-15T08:51:46-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/artifacts/{name}

https://<host>:<mPort>/services/shcluster/member/artifacts/{name}

Get {name} member artifact configuration.


GET

List {name} member artifact information.


Request parameters

Pagination and filtering parameters can be used with this method.

Returned values

Name Description
status Indicates the status of this artifact. Possible values are as follows.
Complete
The copy of this artifact contains the full complement of information.
StreamingSource
The copy of this artifact is sending data to member nodes for replication.
StreamingTarget
The copy of this artifact is receiving replicated data.
NonStreamingTarget
This copy of a warm artifact replication is in progress. Once replication is complete, the status changes to Complete.
StreamingError
The copy of this artifact encountered errors while streaming data.
PendingTruncate
The captain asked the member to truncate this copy of the artifact to a certain size and is waiting for confirmation.
PendingDiscard
The captain asked the member to discard this copy of the artifact and is waiting for confirmation.
Standalone
An artifact in the searchhead cluster that is not replicated.


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberartifacts</title>
  <id>https://localhost:8089/services/shcluster/member/artifacts</id>
  <updated>2014-10-16T22:33:37-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888</title>
    <id>https://wimpy.splunk.com:55569/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888</id>
    <updated>2014-10-16T22:33:37-07:00</updated>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="list"/>
    <link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        ... eai:acl node elided ...
        ... eai:attributes node elided ...
        <s:key name="status">Complete</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/control/control/set_manual_detention

https://<host>:<mPort>//services/shcluster/member/control/control/set_manual_detention

Put the search head cluster member in manual detention mode or take the search head cluster member out of this mode. When a search head cluster member is in manual detention, it does not accept new search jobs, including both scheduled and ad-hoc searches. Existing search jobs run to completion. It also participates in cluster administration operations with the exception of artifact replication.


POST

Adjust search head manual detention mode.


Request parameters

Name Type Description
manual_detention Use one of the following values.
  • off: Default. Remove the search head from the detention state.
  • on: Put the search head in manual detention mode.
Enable or disable manual detention.


Returned values
None


Example request and response

XML Request

curl  -u admin:password -k https://localhost:8089/servicesNS/admin/search/shcluster/member/control/control/set_manual_detention -d manual_detention=on

XML Response


 <title>shclustermembercontrol</title>
  <id>https://localhost:8089/servicesNS/admin/search/shcluster/member/control</id>
  <updated>2018-03-28T08:04:28-07:00</updated>
  <generator build="5fbc8cfc742f" version="7.2.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/shcluster/member/control/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>



shcluster/member/consensus

https://<host>:<mPort>/services/shcluster/member/consensus

Get latest cluster configuration from the raft consensus protocol.


GET

Get latest cluster configuration from the raft consensus protocol.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values
These values are returned for each member.

Name Description
configuration_id Unique id for this configuration.
servers_list Comma-separated list of members that are part of the cluster. Each member is listed as scheme://host:port


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/consensus

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberconsensus</title>
  <id>https://localhost:8089/services/shcluster/member/consensus</id>
  <updated>2014-10-15T08:52:28-07:00</updated>
  <generator build="235980" version="20141014"/>
  <author>
    <name>Splunk</name>
  </author>
  ... opensearch nodes elided ...
  <s:messages/>
  <entry>
    <title>shc_cluster_configuration</title>
    <id>https://localhost:8089/services/shcluster/member/consensus/shc_cluster_configuration</id>
    <updated>2014-10-15T08:52:28-07:00</updated>
    <link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="list"/>
    <link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="edit"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="configuration_id">4</s:key>
        ... eai:acl node elided ...
        <s:key name="servers_list">https://localhost:55560,https://localhost:55569</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/member/info

https://<host>:<mPort>/services/shcluster/member/info

Access searchhead cluster member node information.


GET

List member information.


Request parameters

Pagination and filtering parameters can be used with this method.


Returned values
These values are returned for each member.

Name Description
active_historical_search_count Number of currently running historical searches.
active_realtime_search_count Number of currently running realtime searches.
adhoc_searchhead Flag that indicates if this member can run scheduled searches.
is_registered Indicates if this member is registered with the searchhead cluster captain.
last_heartbeat_attempt Timestamp for the last attempt to contact the captain.
maintenance_mode N/A
peer_load_stats_gla_15m Number of scheduled searches run in the last 15 minutes.
peer_load_stats_gla_1m Number of scheduled searches run in the last one minute.
peer_load_stats_gla_5m Number of scheduled searches run in the last five minutes.
peer_load_stats_max_runtime N/A
peer_load_stats_num_autosummary N/A
peer_load_stats_num_historical N/A
peer_load_stats_num_realtime N/A
peer_load_stats_num_running N/A
peer_load_stats_total_runtime N/A
restart_state Indicates whether the member needs to be restarted to enable its searchhead cluster configuration.
status Indicates the status of the member. Possible values are as follows.
  • Up
  • Pending
  • AutomaticDetention
  • ManualDetention
  • Restarting
  • ShuttingDown
  • ReassigningPrimaries
  • Decommissioning
  • GracefulShutdown
  • Down


Example request and response

XML Request

curl -k -u admin:pass https://localhost:8189/services/shcluster/member/info

XML Response


<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclustermemberinfo</title>
  <id>https://10.222.21.58:8089/services/shcluster/member/info</id>
  <updated>2018-03-29T12:05:35-07:00</updated>
  <generator build="d75793dbca24" version="7.1.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/member/info/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>member</title>
    <id>https://10.222.21.58:8089/services/shcluster/member/info/member</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/shcluster/member/info/member" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/member/info/member" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="active_historical_search_count">0</s:key>
        <s:key name="active_realtime_search_count">0</s:key>
        <s:key name="adhoc_searchhead">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="is_registered">1</s:key>
        <s:key name="last_heartbeat_attempt">1522350335</s:key>
        <s:key name="maintenance_mode">0</s:key>
        <s:key name="no_artifact_replications">0</s:key>
        <s:key name="peer_load_stats_gla_15m">0</s:key>
        <s:key name="peer_load_stats_gla_1m">0</s:key>
        <s:key name="peer_load_stats_gla_5m">0</s:key>
        <s:key name="peer_load_stats_max_runtime">0</s:key>
        <s:key name="peer_load_stats_num_autosummary">0</s:key>
        <s:key name="peer_load_stats_num_historical">0</s:key>
        <s:key name="peer_load_stats_num_realtime">0</s:key>
        <s:key name="peer_load_stats_num_running">0</s:key>
        <s:key name="peer_load_stats_total_runtime">0</s:key>
        <s:key name="restart_state">NoRestart</s:key>
        <s:key name="status">ManualDetention</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

shcluster/status

https://<host>:<mPort>/services/shcluster/status

Performs health checks to determine search head cluster health status, prior to a rolling upgrade or rolling restart.

Authentication and Authorization

Requires the admin role or list_search_head_clustering capability.


GET

Get search head cluster health status information .


Request parameters

Name Type Description
advanced Boolean Lists search head cluster status information in a verbose manner.


Returned values
These values are returned for each member.

Node Name Datatype Description
Captain decommission_search_jobs_wait_secs Integer Determines the maximum time, in seconds, that a member waits for search jobs to complete before it transitions to the down or GracefulShutdown state.
dynamic_captain Boolean If true (1), then the captain is selected by elections. If false (0), then a static captain (no elections) is assigned.
elected_captain String The time when new captain is elected.
id String Specifies the search head cluster GUID.
initialized_flag Boolean Indicates if the captain is initialized.
label String Specifies the search head cluster label.
max_failures_to_keep_majority Boolean Indicates how many more nodes can be down to keep majority.
mgmt_uri String Specifies the URI and management port for the captain.
min_peers_joined_flag Boolean min_peers_joined_flag is true when there are at least as many search head peers as the replication_factor.
rolling_restart String Shows the restart mode, either restart or searchable.
rolling_restart_flag Boolean rolling_restart_flag is true when a rolling restart is in progress.
rolling_upgrade_flag Boolean rolling_upgrade_flag is true when a rolling upgrade is in progress.
service_ready_flag Boolean service_ready_flag is true when everything is up and running as expected and "ready to go!"
stable_captain Boolean Indicates stable captain based on heartbeat.
Member label String Specifies the search head label.
last_conf_replication String Specifies when the member last pulled a set of configurations from the captain.
manual_detention String Indicates if the member is in manual detention. Use off or on.
mgmt_uri String Specifies the URI and management port for the member.
mgmt_uri_alias String Specifies the URI and management port for the member.
out_of_sync_node Boolean out_of_sync_node is true when the member is out of sync.
preferred_captain Boolean Indicates the member's preference for captaincy.
restart_required Boolean restart_required is true when member requests a restart
splunk_version String Splunk version running on the search head.
status String Indicates the current status of the member.


Example request and response

XML Request

curl -k -u admin:changed123 https://localhost:8089/services/shcluster/status?advanced=1?

XML Response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>shclusterstatus</title>
  <id>https://10.222.21.58:8089/services/shcluster/status</id>
  <updated>2018-03-29T12:00:50-07:00</updated>
  <generator build="d75793dbca24" version="7.1.0"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/shcluster/status/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>status</title>
    <id>https://10.222.21.58:8089/services/shcluster/status/status</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services/shcluster/status/status" rel="alternate"/>
    <author>
      <name>system</name>
    </author>
    <link href="/services/shcluster/status/status" rel="list"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="captain">
          <s:dict>
            <s:key name="dynamic_captain">1</s:key>
            <s:key name="elected_captain">Thu Mar 29 11:58:04 2018</s:key>
            <s:key name="id">93E0DBE8-A435-462F-BF7D-6297C9D9F939</s:key>
            <s:key name="initialized_flag">1</s:key>
            <s:key name="label">ip-10-222-21-58</s:key>
            <s:key name="mgmt_uri">https://10.222.21.58:8089</s:key>
            <s:key name="min_peers_joined_flag">1</s:key>
            <s:key name="rolling_restart_flag">0</s:key>
            <s:key name="service_ready_flag">1</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app"></s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">0</s:key>
            <s:key name="owner">system</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>admin</s:item>
                    <s:item>splunk-system-role</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="peers">
          <s:dict>
            <s:key name="2EF65F8B-2689-4A77-B056-E824B2FEB0CA">
              <s:dict>
                <s:key name="label">ip-10-222-25-57</s:key>
                <s:key name="last_conf_replication">Thu Mar 29 12:00:49 2018</s:key>
                <s:key name="mgmt_uri">https://10.222.25.57:8089</s:key>
                <s:key name="mgmt_uri_alias">https://10.222.25.57:8089</s:key>
                <s:key name="status">Up</s:key>
              </s:dict>
            </s:key>
            <s:key name="48E93CC7-9A2D-40BE-BAF5-EB9C87200FA5">
              <s:dict>
                <s:key name="label">ip-10-222-31-70</s:key>
                <s:key name="last_conf_replication">Thu Mar 29 12:00:46 2018</s:key>
                <s:key name="mgmt_uri">https://10.222.31.70:8089</s:key>
                <s:key name="mgmt_uri_alias">https://10.222.31.70:8089</s:key>
                <s:key name="status">Up</s:key>
              </s:dict>
            </s:key>
            <s:key name="F8AB4ECE-F14A-415E-AEBE-9BC87216D056">
              <s:dict>
                <s:key name="label">ip-10-222-21-58</s:key>
                <s:key name="mgmt_uri">https://10.222.21.58:8089</s:key>
                <s:key name="mgmt_uri_alias">https://10.222.21.58:8089</s:key>
                <s:key name="status">Up</s:key>
              </s:dict>
            </s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed> 

upgrade/shc/recovery

https://<host>:<mPort>/services/upgrade/shc/recovery

Return search head cluster to ready state after automated rolling upgrade failure.


Authentication and Authorization
Requires admin role or another role containing these capabilties:

  • upgrade_splunk_shc
  • list_search_head_clustering
  • list_settings
  • use_remote_proxy


GET

Return SHC to ready state after automated rolling upgrade failure.


Request parameters

None


Returned values

Name Type Description
status String Status of HTTP request. For example, "succeeded" or "failed"

Example request and response

JSON Request

curl -u admin:pass -k https://localhost:8089/services/upgrade/shc/recovery?output_mode=json

JSON Response

{
    "updated":"2022-11-24T17:36:20+0000",
    "author":"Splunk",
    "layout":"props",
    "entry":[
        {
            "title":"recovery",
            "id":"/services/upgrade/shc/recovery",
            "updated":"2022-11-24T17:36:20+0000",
            "links":{
                "alternate":{
                    "href":"shc/recovery"
                }
            },
            "content":{
                "message":"Instance recovered successfully",
                "status":"succeeded"
            }
        }
    ]
}

upgrade/shc/status

https://<host>:<mPort>/services/upgrade/shc/status

Check the status of an automated search head cluster rolling upgrade.


Authentication and Authorization
Requires admin role or another role containing these capabilities:

  • upgrade_splunk_shc
  • list_search_head_clustering
  • list_settings
  • use_remote_proxy


GET

Check the status of automated SHC rolling upgrade.


Request parameters

None


Returned values

Name Type Description
upgrade status String Status of automated rollling upgrade for entire clutser.
peers_to_upgrade Number The total number of cluster members to upgrade.
overall_peers_upgraded Number The number of cluster members upgraded at present.
overall_peers_upgraded_percentage Number The percentage of total cluster members upgraded at present.
name String The name of the individual cluster member.
status String Upgrade status of the individual cluster member.
last_modified String Date and time the individual cluster member was modified.

Example request and response

JSON Request

curl -u admin:pass -k https://localhost:8089/services/upgrade/shc/status?output_mode=json

JSON Response

{
    "updated":"2022-11-24T17:33:28+0000",
    "author":"Splunk",
    "layout":"props",
    "entry":[
        {
            "title":"status",
            "id":"/services/upgrade/shc/status",
            "updated":"2022-11-24T17:33:28+0000",
            "links":{
                "alternate":{
                    "href":"shc/status"
                }
            },
            "content":{
                "message":{
                    "upgrade_status":"completed",
                    "statistics":{
                        "peers_to_upgrade":3,
                        "overall_peers_upgraded":3,
                        "overall_peers_upgraded_percentage":100
                    },
                    "peers":[
                        {
                            "name":"sh2",
                            "status":"upgraded",
                            "last_modified":"Thu Nov 24 17:29:41 2022"
                        },
                        {
                            "name":"sh1",
                            "status":"upgraded",
                            "last_modified":"Thu Nov 24 17:28:07 2022"
                        },
                        {
                            "name":"sh3",
                            "status":"upgraded",
                            "last_modified":"Thu Nov 24 17:31:15 2022"
                        }
                    ]
                }
            }
        }
    ]
}

upgrade/shc/upgrade

https://<host>:<mPort>/services/upgrade/shc/upgrade

Initiate an automated rolling upgrade of a search head cluster.


Authentication and Authorization
Requires admin role or another role containing these capabilities:

  • upgrade_splunk_shc
  • list_search_head_clustering
  • list_settings
  • use_remote_proxy


POST

Initiate automated SHC rolling upgrade.


Request parameters

None


Returned values

Name Type Description
status String Status of HTTP request. For example, "succeeded" or "failed".

Example request and response

JSON Request

curl -X POST -u admin:pass -k https://localhost:8089/services/upgrade/shc/upgrade?output_mode=json

JSON Response

{
    "updated":"2022-11-24T17:25:54+0000",
    "author":"Splunk",
    "layout":"props",
    "entry":[
        {
            "title":"upgrade",
            "id":"/services/upgrade/shc/upgrade",
            "updated":"2022-11-24T17:25:54+0000",
            "links":{
                "alternate":{
                    "href":"shc/upgrade"
                }
            },
            "content":{
                "message":"Upgrade initiated",
                "status":"succeeded"
            }
        }
    ]
}

Last modified on 25 September, 2023
Application endpoint descriptions   Configuration endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters