Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise.
For documentation on the most recent version, go to the latest release.
Federated search endpoint descriptions
Use the Federated Search REST API endpoints to create, update, and delete definitions for federated providers and federated indexes.
See About federated search for more information.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication are required for access to endpoints and REST operations.
Splunk users must have role and/or capability-based authorization to use REST endpoints, and must have the admin_all_objects and edit_indexes capabilities to use the federated search endpoints detailed in this topic.
Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls > Users. To determine the capabilities assigned to a role, select Settings > Access controls > Roles.
App and user context
Typically, knowledge objects, such as saved searches or event types, have an app/user context that is the namespace. For more information about specifying a namespace, see Namespace in the REST API User Manual.
Splunk Cloud Platform URL for REST API access
Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Paid subscribers to the Splunk Cloud Platform service use the following URL to access REST API resources:
https://<deployment-name>.splunkcloud.com:8089
See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.
data/federated/provider
https://<host>:<mPort>/services/data/federated/provider
Use this endpoint to get a list of federated providers and post new federated provider definitions. See Define a federated provider.
Authentication and authorization
Use of the GET and POST operations for this endpoint are restricted to roles that have the admin_all_objects and indexes_edit capabilities.
GET
Expand
Returns a list of federated providers.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
| Name | Description |
|---|---|
| name | Specifies the name of the federated provider. |
| appContext | Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application. If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
|
| hostPort | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| type | Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
|
| useFSHKnowledgeObjects | When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider. Defaults to True.
|
Example request and response
Return a list of federated providers. (The XML response shows an example of a single returned federated provider record.)
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/provider
XML response
...
<entry>
<title>provider-1</title>
<id>/servicesNS/nobody/system/data/federated/provider/provider-1</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="remove"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">localhost:8090</s:key>
<s:key name="serviceAccount">user1</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">1</s:key>
</s:dict>
</content>
</entry>
POST
Expand
Creates a new federated provider definition.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. Specify a unique name for the federated provider. |
| appContext | String | Specify the short name of an app to apply an application context to federated searches on the federated provider. The application context determines which set of knowledge objects is applied to the federated searches.
Defaults to |
| hostPort | String | Required. Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
|
| password | String | Required. Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. |
| serviceAccount | String | Required. Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. |
| type | String | Set the type of federated provider. Currently only Splunk deployments are supported. Defaults to splunk. No other values are allowed.
|
| useFSHKnowledgeObjects | Boolean | When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider. Defaults to True.
|
Returned values
| Name | Description |
|---|---|
| name | Specifies the name of the federated provider. |
| appContext | Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application. If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
|
| hostPort | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| type | Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
|
| useFSHKnowledgeObjects | When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider. Defaults to True.
|
Example request and response
Create a new definition for a federated provider named provider-1.
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/provider -d name=provider-1 -d type=splunk -d appContext=search -d hostPort=localhost:8090 -d serviceAccount=user1 -d password=secret1 -d useFSHKnowledgeObjects=1
XML response
...
<entry>
<title>provider-1</title>
<id>/servicesNS/nobody/system/data/federated/provider/provider-1</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">localhost:8090</s:key>
<s:key name="serviceAccount">user1</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">1</s:key>
</s:dict>
</content>
</entry>
data/federated/provider/{federated_provider_name}
https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}
Use this endpoint to:
- Retrieve a definition for a specific
{federated_provider_name}. - Update a definition for a specific
{federated_provider_name}. - Delete a definition for a specific
{federated_provider_name}.
See Define a federated provider.
Authentication and Authorization
Usage of the GET, POST, and DELETE operations for this endpoint require the admin_all_objects and indexes_edit capabilities.
GET
Expand
Returns a definition of a specific {federated_provider_name}.
Request parameters
None specific to this method.
Returned values
| Name | Description |
|---|---|
| name | Specifies the name of the federated provider. |
| appContext | Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application. If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
|
| hostPort | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| type | Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
|
| useFSHKnowledgeObjects | When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider. Defaults to True.
|
Example request and response
Return the definition for the my_federated_provider federated provider.
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/provider/my_federated_provider
XML response
...
<entry>
<title>my_federated_provider</title>
<id>/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>appContext</s:item>
<s:item>hostPort</s:item>
<s:item>password</s:item>
<s:item>serviceAccount</s:item>
<s:item>type</s:item>
<s:item>useFSHKnowledgeObjects</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">localhost:8090</s:key>
<s:key name="serviceAccount">user1</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">1</s:key>
</s:dict>
</content>
</entry>
POST
Expand
Updates a definition for a specific {federated_provider_name}.
Request parameters
At least one argument is required.
| Name | Type | Description |
|---|---|---|
| appContext | String | Specify the short name of an app to apply an application context to federated searches on the federated provider. The application context determines which set of knowledge objects is applied to the federated searches.
Defaults to |
| hostPort | String | Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
|
| password | String | Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. |
| serviceAccount | String | Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. |
| type | String | Set the type of federated provider. Currently only Splunk deployments are supported. Defaults to splunk. No other values are allowed.
|
| useFSHKnowledgeObjects | Boolean | When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider. Defaults to True.
|
Returned values
| Name | Description |
|---|---|
| name | Specifies the name of the federated provider. |
| appContext | Specifies the Splunk application context for the federated searches that will be run with this federated provider definition. The application context ensures that federated searches using this federated provider are limited to the knowledge objects that are associated with the named application. If useFSHKnowledgeObjects = true, appContext specifies an app that is installed on the federated search head of your local Splunk platform deployment. If useFSHKnowledgeObjects = false, appContext specifies an app that is installed on the remote search head of the federated provider.
|
| hostPort | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| type | Specifies the federated provider type. At this point, only Splunk deployments are supported. Defaults to splunk.
|
| useFSHKnowledgeObjects | When set to true, specifies that federated searches with this provider use knowledge objects from the federated search head on the local deployment. When set to false, specifies that federated searches with this provider use knowledge objects from the remote deployment specified in the federated provider. Defaults to True.
|
Example request and response
Change the useFSHKnowledgeObjects setting to false so that federated searches with this federated provider use knowledge objects from the remote search head on the provider.
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/provider/my_federated_provider -d useFSHKnowledgeObjects=0
XML response
<entry>
<title>my_federated_provider</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">10.224.150.77:58677</s:key>
<s:key name="serviceAccount">power01</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">0</s:key>
</s:dict>
</content>
</entry>
DELETE
Expand
Deletes a definition for a specific {federated_provider_name}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example request and response
Remove the my_federated_provider stanza from federated.conf.
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/provider/my_federated_provider
XML response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>federated-provider</title>
<id>/services/data/federated/provider</id>
<updated>2021-04-27T12:47:36-07:00</updated>
<generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/provider/_new" rel="create"/>
<link href="/services/data/federated/provider/_reload" rel="_reload"/>
<link href="/services/data/federated/provider/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/federated/index
https://<host>:<mPort>/services/data/federated/index
Use this endpoint to get a list of federated indexes and post new federated index definitions. See Create a federated index.
Authentication and authorization
Use of the GET and POST operations for this endpoint are restricted to roles that have the admin_all_objects and indexes_edit capabilities.
GET
Expand
Returns a list of federated indexes.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.
| Name | Description |
|---|---|
| name | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.
|
Example request and response
Get the complete list of federated indexes. (The XML response provides a sample of one returned index record.)
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/index
XML response
...
<entry>
<title>federated:airports-east</title>
<id>/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
<s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
<s:key name="bucketMerge.minMergeSizeMB">750</s:key>
<s:key name="bucketMerging">0</s:key>
<s:key name="coldPath.maxDataSizeMB">0</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="datatype">event</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="enableDataIntegrityControl">0</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="enableTsidxReduction">0</s:key>
<s:key name="federated.dataset">index:airlinedata1</s:key>
<s:key name="federated.provider">remote_splunk_deployment</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath.maxDataSizeMB">0</s:key>
<s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
<s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
<s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
<s:key name="hotBucketStreaming.reportStatus">0</s:key>
<s:key name="hotBucketStreaming.sendSlices">0</s:key>
<s:key name="hotBucketTimeRefreshInterval">60</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="journalCompression">gzip</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">1</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="metric.compressionBlockSize">1024</s:key>
<s:key name="metric.enableFloatingPointCompression">1</s:key>
<s:key name="metric.maxHotBuckets">1</s:key>
<s:key name="metric.splitByIndexKeys"></s:key>
<s:key name="metric.stubOutRawdataJournal">1</s:key>
<s:key name="metric.timestampResolution">s</s:key>
<s:key name="metric.tsidxTargetSizeMB">1500</s:key>
<s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
<s:key name="minStreamGroupQueueSize">2000</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceInactiveIndexesPeriod">60</s:key>
<s:key name="serviceMetaPeriod">1</s:key>
<s:key name="splitByIndexKeys"></s:key>
<s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
<s:key name="suspendHotRollByDeleteQuery">0</s:key>
<s:key name="sync">0</s:key>
<s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
<s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
<s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
<s:key name="tsidxTargetSizeMB">1500</s:key>
<s:key name="tsidxWritingLevel">1</s:key>
<s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
</s:dict>
</content>
</entry>
POST
Expand
Creates a new federated index definition.
Request parameters
| Name | Type | Description |
|---|---|---|
| name | String | Required. Specify a unique name for the federated index, using the syntax federated:<index_name>. Each federated index maps to only one remote dataset on a federated provider, so the name should reference that dataset.Index names have the following limitations:
|
| federated.provider | String | Required. Specify the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | String | Required. Specify the dataset on the federated.provider to which this federated index maps. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.For this version of the Splunk platform, the <type> is limited to index.
|
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.
| Name | Description |
|---|---|
| name | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.
|
Example request and response
Create a new definition for a federated index named airports-east.
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/index -d name=federated:airports-east -d federated.provider=FenrisAirNYC -d federated.dataset=index:airports-east
XML response
<entry>
<title>federated:fs-airports-east</title>
<id>/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
<s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
<s:key name="bucketMerge.minMergeSizeMB">750</s:key>
<s:key name="bucketMerging">0</s:key>
<s:key name="coldPath.maxDataSizeMB">0</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="datatype">event</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="enableDataIntegrityControl">0</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="enableTsidxReduction">0</s:key>
<s:key name="federated.dataset">index:airports-east</s:key>
<s:key name="federated.provider">FenrisAirNYC</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath.maxDataSizeMB">0</s:key>
<s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
<s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
<s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
<s:key name="hotBucketStreaming.reportStatus">0</s:key>
<s:key name="hotBucketStreaming.sendSlices">0</s:key>
<s:key name="hotBucketTimeRefreshInterval">60</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="journalCompression">gzip</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">1</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="metric.compressionBlockSize">1024</s:key>
<s:key name="metric.enableFloatingPointCompression">1</s:key>
<s:key name="metric.maxHotBuckets">1</s:key>
<s:key name="metric.splitByIndexKeys"></s:key>
<s:key name="metric.stubOutRawdataJournal">1</s:key>
<s:key name="metric.timestampResolution">s</s:key>
<s:key name="metric.tsidxTargetSizeMB">1500</s:key>
<s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
<s:key name="minStreamGroupQueueSize">2000</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceInactiveIndexesPeriod">60</s:key>
<s:key name="serviceMetaPeriod">1</s:key>
<s:key name="splitByIndexKeys"></s:key>
<s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
<s:key name="suspendHotRollByDeleteQuery">0</s:key>
<s:key name="sync">0</s:key>
<s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
<s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
<s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
<s:key name="tsidxTargetSizeMB">1500</s:key>
<s:key name="tsidxWritingLevel">1</s:key>
<s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
</s:dict>
</content>
</entry>
data/federated/index/federated:{federated_index_name}
https://<host>:<mPort>/services/data/federated/provider/federated:{federated_index_name}
Use this endpoint to:
- Retrieve a definition for a specific
{federated_index_name}. - Update a definition for a specific
{federated_index_name}. - Delete a definition for a specific
{federated_index_name}.
Authentication and Authorization
Usage of the GET, POST, and DELETE operations for this endpoint require the admin_all_objects and indexes_edit capabilities.
GET
Expand
Returns a definition of a specific {federated_index_name}.
Request parameters
None specific to this method.
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.
| Name | Description |
|---|---|
| name | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.
|
Example request and response
Return the definition for the airports-east federated index.
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/index/federated:airports-east
XML response
<entry>
<title>federated:airports-east</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="archiver.enableDataArchive">0</s:key>
<s:key name="archiver.maxDataArchiveRetentionPeriod">0</s:key>
<s:key name="assureUTF8">0</s:key>
<s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
<s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
<s:key name="bucketMerge.minMergeSizeMB">750</s:key>
<s:key name="bucketMerging">0</s:key>
<s:key name="bucketRebuildMemoryHint">auto</s:key>
<s:key name="coldPath.maxDataSizeMB">0</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="datatype">event</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>federated.dataset</s:item>
<s:item>federated.provider</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="enableDataIntegrityControl">0</s:key>
<s:key name="enableOnlineBucketRepair">1</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="enableTsidxReduction">0</s:key>
<s:key name="federated.dataset">sendmail</s:key>
<s:key name="federated.provider">remote_deployment_1</s:key>
<s:key name="fileSystemExecutorWorkers">5</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath.maxDataSizeMB">0</s:key>
<s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
<s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
<s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
<s:key name="hotBucketStreaming.reportStatus">0</s:key>
<s:key name="hotBucketStreaming.sendSlices">0</s:key>
<s:key name="hotBucketTimeRefreshInterval">10</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="journalCompression">gzip</s:key>
<s:key name="maxBloomBackfillBucketAge">30d</s:key>
<s:key name="maxBucketSizeCacheEntries">0</s:key>
<s:key name="maxConcurrentOptimizes">6</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxGlobalDataSizeMB">0</s:key>
<s:key name="maxGlobalRawDataSizeMB">0</s:key>
<s:key name="maxHotBuckets">auto</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxRunningProcessGroups">8</s:key>
<s:key name="maxRunningProcessGroupsLowPriority">1</s:key>
<s:key name="maxTimeUnreplicatedNoAcks">300</s:key>
<s:key name="maxTimeUnreplicatedWithAcks">60</s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="metric.compressionBlockSize">1024</s:key>
<s:key name="metric.enableFloatingPointCompression">1</s:key>
<s:key name="metric.maxHotBuckets">auto</s:key>
<s:key name="metric.splitByIndexKeys"></s:key>
<s:key name="metric.stubOutRawdataJournal">1</s:key>
<s:key name="metric.timestampResolution">s</s:key>
<s:key name="metric.tsidxTargetSizeMB">1500</s:key>
<s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minStreamGroupQueueSize">2000</s:key>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="processTrackerServiceInterval">1</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="repFactor">0</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="rtRouterQueueSize">10000</s:key>
<s:key name="rtRouterThreads">0</s:key>
<s:key name="selfStorageThreads">2</s:key>
<s:key name="serviceInactiveIndexesPeriod">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="serviceOnlyAsNeeded">1</s:key>
<s:key name="serviceSubtaskTimingPeriod">30</s:key>
<s:key name="splitByIndexKeys"></s:key>
<s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
<s:key name="suppressBannerList"></s:key>
<s:key name="suspendHotRollByDeleteQuery">0</s:key>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
<s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
<s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
<s:key name="tsidxTargetSizeMB">1500</s:key>
<s:key name="tsidxWritingLevel">2</s:key>
<s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
<s:key name="waitPeriodInSecsForManifestWrite">60</s:key>
<s:key name="warmToColdScript"></s:key>
</s:dict>
</content>
</entry>
POST
Expand
Updates a definition for a specific {federated_index_name}.
Request parameters
At least one argument is required.
| Name | Type | Description |
|---|---|---|
| federated.provider | String | Required. Specify the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | String | Required. Specify the dataset on the federated.provider to which this federated index maps. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.For this version of the Splunk platform, the <type> is limited to index.
|
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings returned by this endpoint see the entry for data/indexes.
| Name | Description |
|---|---|
| name | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | Specifies the dataset on the federated.provider to which this federated index maps. Each federated index maps to one dataset on a federated provider. The dataset is identified by its type and name, using the following syntax: <type>:<dataset_name>.
|
Example request and response
Update the dataset mapping for the federated:airports-east federated index.
XML Request
curl -k -u admin:changeme https://localhost:8089/services/data/federated/index/federated:airports-east -d federated.dataset=index:airports-west
XML response
<entry>
<title>federated:airports-east</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="archiver.enableDataArchive">0</s:key>
<s:key name="archiver.maxDataArchiveRetentionPeriod">0</s:key>
<s:key name="assureUTF8">0</s:key>
<s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
<s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
<s:key name="bucketMerge.minMergeSizeMB">750</s:key>
<s:key name="bucketMerging">0</s:key>
<s:key name="bucketRebuildMemoryHint">auto</s:key>
<s:key name="coldPath.maxDataSizeMB">0</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="datatype">event</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="enableDataIntegrityControl">0</s:key>
<s:key name="enableOnlineBucketRepair">1</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="enableTsidxReduction">0</s:key>
<s:key name="federated.dataset">index:airports-west</s:key>
<s:key name="federated.provider">remote_deployment_1</s:key>
<s:key name="fileSystemExecutorWorkers">5</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath.maxDataSizeMB">0</s:key>
<s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
<s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
<s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
<s:key name="hotBucketStreaming.reportStatus">0</s:key>
<s:key name="hotBucketStreaming.sendSlices">0</s:key>
<s:key name="hotBucketTimeRefreshInterval">10</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="journalCompression">gzip</s:key>
<s:key name="maxBloomBackfillBucketAge">30d</s:key>
<s:key name="maxBucketSizeCacheEntries">0</s:key>
<s:key name="maxConcurrentOptimizes">6</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxGlobalDataSizeMB">0</s:key>
<s:key name="maxGlobalRawDataSizeMB">0</s:key>
<s:key name="maxHotBuckets">auto</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxRunningProcessGroups">8</s:key>
<s:key name="maxRunningProcessGroupsLowPriority">1</s:key>
<s:key name="maxTimeUnreplicatedNoAcks">300</s:key>
<s:key name="maxTimeUnreplicatedWithAcks">60</s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="metric.compressionBlockSize">1024</s:key>
<s:key name="metric.enableFloatingPointCompression">1</s:key>
<s:key name="metric.maxHotBuckets">auto</s:key>
<s:key name="metric.splitByIndexKeys"></s:key>
<s:key name="metric.stubOutRawdataJournal">1</s:key>
<s:key name="metric.timestampResolution">s</s:key>
<s:key name="metric.tsidxTargetSizeMB">1500</s:key>
<s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minStreamGroupQueueSize">2000</s:key>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="processTrackerServiceInterval">1</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="repFactor">0</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="rtRouterQueueSize">10000</s:key>
<s:key name="rtRouterThreads">0</s:key>
<s:key name="selfStorageThreads">2</s:key>
<s:key name="serviceInactiveIndexesPeriod">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="serviceOnlyAsNeeded">1</s:key>
<s:key name="serviceSubtaskTimingPeriod">30</s:key>
<s:key name="splitByIndexKeys"></s:key>
<s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
<s:key name="suppressBannerList"></s:key>
<s:key name="suspendHotRollByDeleteQuery">0</s:key>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
<s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
<s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
<s:key name="tsidxTargetSizeMB">1500</s:key>
<s:key name="tsidxWritingLevel">2</s:key>
<s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
<s:key name="waitPeriodInSecsForManifestWrite">60</s:key>
<s:key name="warmToColdScript"></s:key>
</s:dict>
</content>
</entry>
DELETE
Expand
Deletes a definition for a specific {federated_index_name}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example request and response
Remove the my_federated_index stanza from indexes.conf.
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/index/federated:my_federated_index
XML response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>federated-index</title>
<id>/services/data/federated/index</id>
<updated>2021-04-27T12:57:06-07:00</updated>
<generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/index/_new" rel="create"/>
<link href="/services/data/federated/index/_reload" rel="_reload"/>
<link href="/services/data/federated/index/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
Last modified on 27 August, 2024
| Deployment endpoint descriptions | Input endpoint descriptions |
This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10
Download manual
Feedback submitted, thanks!