Solved: How to get a list of search heads in my Splunk env...

GeoCouloute · ‎06-12-2018

Hi,

I am relatively new to Splunk and I would like to know how to find out what are the number of "Search Heads" on my Splunk environment. I am sure there is a query that will display t his information. Any assistance on how to accomplish this would be a great help. I look forward to your response.

jowenssi · ‎06-12-2018

The easiest/quickest way would be to identify the instances running a Job Scheduler. Depending on the configuration of the distributed environment, this could return Indexers or instances with other Splunk roles that run jobs. This query also assumes that all of your logs are being forwarded to the Indexers.

index=_internal sourcetype=scheduler

You could then run this REST search on the instances to identify if the Splunk role is set as a Search Head:

| rest splunk_server=local /services/server/info | table serverName server_roles

View solution in original post

PowerPacked · ‎06-12-2018

Hi @GeoCouloute

if you have newer version of splunk 7.1.1
you can see a new option in settings --- search head clustering -- from there you can see the list of all search heads in the cluster.

from CLI you can also execute the query ./splunk show shcluster-status --- to see the list of all search heads incuding the captain in the cluster.

Thanks

ddrillic · ‎06-12-2018

If you have access to the Monitoring Console, it would show you the Search Heads, Indexers and more....

jowenssi · ‎06-12-2018

This is true, but only if the environment is configured correctly. The rest call below will display the same role information.

jowenssi · ‎06-12-2018

The easiest/quickest way would be to identify the instances running a Job Scheduler. Depending on the configuration of the distributed environment, this could return Indexers or instances with other Splunk roles that run jobs. This query also assumes that all of your logs are being forwarded to the Indexers.

index=_internal sourcetype=scheduler

You could then run this REST search on the instances to identify if the Splunk role is set as a Search Head:

| rest splunk_server=local /services/server/info | table serverName server_roles

gerrysr6 · ‎07-05-2023

I tried both commands and they return different servers.

The first command seems to return indexers (don't care) the second command lists one server and it's roles, which includes search_head (good).

Why would I care about schedulers? Are you saying the scheduler might also be the search head?

isoutamo · ‎07-06-2023

Hi

to getting REST queries to work, all those servers must be defined as search peer to this instance. Usually you define only indexers as a peer for SH so that's reason you are not founding other SHs with it except on MC where you already have added those to be a peer to get REST API and MC working correctly.

Scheduler is running on full splunk instances where are some search activities. This means at least SH and IDX and CM. Maybe also some HF could match to this and LM, DS and Deployer (cannot check it now). Easy way to drop IDXs away from that list (if you have only one IDX cluster/indexer where you send your internal logs) is

| tstats count where index=_internal sourcetype=scheduler NOT 
    [| tstats count where index=_internal sourcetype=scheduler by splunk_server 
    | fields splunk_server 
    | rename splunk_server as host
    | format] by host
| table host
| rename host as "Instances which can use as SH"

If you have serveral IDXc + indexers connected to this SH then you need add some other indexes here to get full list of splunk_servers where events are stored.

r. Ism

How to get a list of search heads in my Splunk environment?

search head

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases