How to view a Splunk SOAR (On-premises) cluster's status

Information on getting or viewing a Splunk SOAR (On-premises) cluster's status for the cluster or its nodes.

You can view the status of a Splunk SOAR (On-premises) cluster from the user interface, using the REST API, or using command line tools.

View cluster status with the Splunk SOAR (On-premises) user interface

Perform the following steps to access the Clustering page in:

  1. From the main menu, select Administration.
  2. Select Product Settings > Clustering.

The status of online means that the cluster node is up and running.

Click View next a cluster node's entry to view the system health for that specific node. See View the health of your Splunk SOAR (On-premises) system to read more about the system health view for cluster nodes.

View cluster status with the REST API

You can use the REST API to get status information about your Splunk SOAR (On-premises) cluster.

Use the /rest/cluster_node end point to get JSON-formatted information about your cluster. This end point requires an authenticated user with system settings permissions.

See REST Cluster Nodes in the REST API Reference for usage and examples.

View cluster status using command line tools

In Splunk SOAR (On-premises) clusters version 5.3.0 and higher you can use the command line from a terminal logged into to any node in your cluster to view your cluster's status. The command phenv cluster_management --status gives you;

  • the name, ID, and status information for each node in your cluster

    • Name: The name or IP address of the cluster node

    • ID: the full GUID of the Splunk SOAR (On-premises) cluster node.

    • Status: If the node is turned on, the status will include Enabled=True. If the node is online, the status will include Online=True.

  • information from Consul

  • information from RabbitMQ

phenv cluster_management --status

Example output:

Splunk SOAR Cluster State:
ClusterNodes found in the database:
  ID: 68292614-f553-4890-a296-62ba782c9f30
  Name: 10.1.19.107
  Status: Enabled=True Online=True
  ID: 5581ed38-17ac-4b20-9bde-d025b999605b
  Name: 10.1.18.249
  Status: Enabled=True Online=True
  ID: 434d154d-eb38-4ac9-99e9-cfbdc6b0e4e9
  Name: 10.1.18.227
  Status: Enabled=True Online=True
Consul:
Node                                  Address           Status  Type    Build  Protocol  DC   Segment
434d154d-eb38-4ac9-99e9-cfbdc6b0e4e9  10.1.18.227:8301  alive   server  1.8.4  2         dc1  <all>
5581ed38-17ac-4b20-9bde-d025b999605b  10.1.18.249:8301  alive   server  1.8.4  2         dc1  <all>
68292614-f553-4890-a296-62ba782c9f30  10.1.19.107:8301  alive   server  1.8.4  2         dc1  <all>
Consul Leader GUID:
5581ed38-17ac-4b20-9bde-d025b999605b
Splunk SOAR Leader GUID:
5581ed38-17ac-4b20-9bde-d025b999605b
RabbitMQ:
Cluster status of node rabbit@10.1.18.249 ...
[{nodes,[{disc,['rabbit@10.1.18.227','rabbit@10.1.18.249',
                'rabbit@10.1.19.107']}]},
 {running_nodes,['rabbit@10.1.18.227','rabbit@10.1.19.107',
                 'rabbit@10.1.18.249']},
 {cluster_name,<<"rabbit@localhost">>},
 {partitions,[]},
 {alarms,[{'rabbit@10.1.18.227',[]},
          {'rabbit@10.1.19.107',[]},
          {'rabbit@10.1.18.249',[]}]}]