Hi lmethwani [Splunk],
Thank you for your answer.
The search you suggested gives me 0 results using splunk_server=local, splunk_server=sh1 and splunk_server=sh2 from the Master Node (where Monitoring Console is installed).
I'm running the main REST command (without the piped commands) and I have results using splunk_server=sh1 (my main Search Head) but I haven't any answer using splunk_server=sh2 (the SH where is installed ES).
It seems like remote REST command interface is disabled on SH2 (locally REST command are OK).

The link you suggested isn't reachable.

Bye.
Giuseppe

I am able to access the link. However, the link says to update the REST endpoint

2017-05-10 SOLNESS-12056, SOLNESS-12106 On instances running Splunk Enterprise Security 4.6.0 or later, the Get Enabled Correlation Searches panel does not show results.
Workaround:
Replace the search with the following syntax: | rest splunk_server=local count=0 /services/saved/searches | search action.correlationsearch.enabled = 1 | stats count as total, count(eval(disabled=0)) as enabled | eval op = enabled . "/" . total | fields op

Hi lmethwani [Splunk],
About the link, it addresses the main documentation page (?).
Locally runnning the search you suggested, I have 412 results.
I don't understand why you suggest to replace this search on the ES Search Head, I think that my problem is probably different:
From my Monitoring Console (that's on a different server not the SHs) all the REST command to the SH2 (the one with ES) gives no results, it seems that there's something strange in SSL configs.

Bye.
Giuseppe

One additional information:
I found that trying to use REST command from an SH to the other (both SH1->SH2 and SH2->SH1) I haven't any result.
Instead they runs on local and to the other Splunk servers (without SSL).
It seems that there's something wrong in SSL configuration using REST.

Bye.
Giuseppe