Federated search endpoint descriptions
Use the federated search REST API endpoints to create, update, and delete definitions for federated providers and federated indexes for Federated Search for Splunk and Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.
See Overview of the federated search options for the Splunk platform in Federated Search.
Usage details
Review ACL information for an endpoint
To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.
Authentication and Authorization
Username and password authentication are required for access to endpoints and REST operations.
Splunk users must have role or capability-based authorization to use REST endpoints, and must have the admin_all_objects and edit_indexes capabilities to use the federated search endpoints detailed in this topic.
Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls > Users. To determine the capabilities assigned to a role, select Settings > Access controls > Roles.
Splunk Cloud Platform URL for REST API access
Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Paid subscribers to the Splunk Cloud Platform service use the following URL to access REST API resources:
https://<deployment-name>.splunkcloud.com:8089
See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.
data/federated/settings/general
https://<host>:<mPort>/services/data/federated/settings/general
Use this endpoint to review the general settings for your Splunk platform deployment implementation of Federated Search for Splunk and change those settings as necessary. For an overview of Federated Search for Splunk, see About Federated Search for Splunk in Federated Search.
The settings that this endpoint governs do not apply to Federated Search for Amazon S3.
Authentication and authorization
Usage of the GET and POST operations for this endpoint is restricted to roles that have the admin_all_objects capability.
GET
Provides the current general federated search settings for your Splunk platform deployment.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
| Name | Description |
|---|---|
| disabled | Specifies whether federated search functionality is turned on for your Splunk platform deployment. If Defaults to |
| transparent_mode | Specifies whether transparent mode federated search functionality is turned on for your Splunk platform deployment. If set to true, transparent mode is turned on, which means federated search users on your deployment can run federated searches over transparent mode federated providers as well as standard mode federated providers. If set to false, transparent mode is turned off, which means federated search users on your deployment can run federated searches only over standard mode federated providers.Defaults to |
| controlCommandsFeatureEnabled | Specifies whether a federated search head can send a federated search action, such as a search cancellation, to federated providers. Does not support search pause. Defaults to true.
|
| controlCommandsMaxThreads | The maximum number of threads that can run a federated search action, such as a search cancellation, from a federated search head, on federated providers. Does not support search pause. Defaults to 5.
|
| controlCommandsMaxTimeThreshold | The maximum number of seconds that a federated search head waits for the completion of a federated search action such as a search cancellation. Does not support search pause. Defaults to 5.
|
| heartbeatEnabled | Specifies whether the federated search heartbeat mechanism is running. The heartbeat mechanism monitors the remote federated providers. If it detects problems with the federated providers the heartbeat mechanism can tell you what is wrong and take actions. Defaults to true.
|
| max_preview_generation_duration | The maximum amount of time, in seconds, that the search head can spend to generate search result previews. When this limit is reached by a federated search, preview preview generation is halted, but the search continues gathering results until it completes and displays the final result set. A setting of 0 means that the preview generation duration of federated searches is unlimited. Defaults to 0.
|
| needs_consent | When set to true, needs_consent causes a checkbox to appear in the UI for federated provider definitions and index assignment to roles. This checkbox requires that users acknowledge that federated providers and federated index permissions can be set up in a manner detrimental to regulatory compliance. When set to false, needs_consent hides this checkbox. Defaults to true.
|
| proxyBundlesTTL | Specifies the time to live in seconds of a proxy bundle on the remote search head after the last time it was used by a search. Defaults to 172800 seconds, or 2 days.
|
| remoteEventsDownloadRetryCountMax | When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the maximum number of event download retries that the federated search head can make before it reports an event download failure. Related to remoteEventsDownloadRetryTimeoutMs. Defaults to 20 event download retries.
|
| remoteEventsDownloadRetryTimeoutMs | When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the interval, in milliseconds, between retries of a failed event download from a federated provider. Related to remoteEventsDownloadRetryCountMax. Defaults to 1000.
|
| verbose_mode | Specifies whether federated searches can be run in verbose mode. A setting of false restricts the ability of federated searches to run in verbose mode, while allowing federated searches to run in fast or smart mode. In transparent mode, a setting of false means that Splunk software runs only the local portion of a verbose mode federated search. In standard mode, a setting of false terminates verbose mode federated searches without displaying their results. Defaults to true.
|
Example request and response
Return the general federated search settings for your Splunk platform deployment. The XML response shows an example of returned federated search settings.
XML Request
curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/settings/general
XML response
...
<entry>
<title>general</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/settings/general</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="controlCommandsFeatureEnabled">1</s:key>
<s:key name="controlCommandsMaxThreads">5</s:key>
<s:key name="controlCommandsMaxTimeThreshold">5</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>controlCommandsFeatureEnabled</s:item>
<s:item>controlCommandsMaxThreads</s:item>
<s:item>controlCommandsMaxTimeThreshold</s:item>
<s:item>heartbeatEnabled</s:item>
<s:item>needs_consent</s:item>
<s:item>proxyBundlesTTL</s:item>
<s:item>verbose_mode</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="max_preview_generation_duration">0<s:key>
<s:key name="needs_consent">1</s:key>
<s:key name="proxyBundlesTTL">172800</s:key>
<s:key name="remoteEventsDownloadRetryCountMax">20</s:key>
<s:key name="remoteEventsDownloadRetryTimeoutMs">1000</s:key>
<s:key name="transparent_mode">1</s:key>
</s:dict>
</content>
</entry>
POST
Updates general federated search settings. Can be used to turn federated search functionality on or off for a Splunk platform deployment.
Request parameters
| Name | Type | Description |
|---|---|---|
| disabled | Boolean | When set to false, disabled specifies that federated search functionality is turned on for your Splunk platform deployment. When set to true, disabled specifies that federated search functionality is turned off for your Splunk platform deployment.Defaults to false.
|
| transparent_mode | Boolean | When set to true, transparent_mode specifies that transparent mode federated search functionality is turned on for your Splunk platform deployment, which means that federated search users on your deployment can run federated searches over transparent mode federated providers as well as standard mode federated providers.When set to false, transparent_mode specifies that transparent mode federated search functionality is turned off for your Splunk platform deployment, which means that federated search users on your deployment can run federated searches only over standard mode federated providers.Defaults to true.
After turning on or off transparent mode, you must call |
| controlCommandsFeatureEnabled | Boolean | Specifies whether a federated search head can send a federated search action, such as a search cancellation, to federated providers. Does not support search pause. Defaults to true.Change this setting only when instructed to do so by Splunk Support. |
| controlCommandsMaxThreads | Number | The maximum number of threads that can run a federated search action, such as a search cancellation, from a federated search head, on federated providers. Does not support search pause. Defaults to 5. Change this setting only when instructed to do so by Splunk Support. |
| controlCommandsMaxTimeThreshold | Number | The maximum number of seconds that a federated search head waits for the completion of a federated search action such as a search cancellation. Does not support search pause. Defaults to 5.Change this setting only when instructed to do so by Splunk Support. |
| heartbeatEnabled | Boolean | Specifies whether the federated search heartbeat mechanism is running. The heartbeat mechanism monitors the remote federated providers. If it detects problems with the federated providers the heartbeat mechanism can tell you what is wrong and take actions. Defaults to true.Change this setting only when instructed to do so by Splunk Support. |
| max_preview_generation_duration | Number | The maximum amount of time, in seconds, that the search head can spend to generate search result previews. When this limit is reached by a federated search, preview preview generation is halted, but the search continues gathering results until it completes and displays the final result set. A setting of 0 means that the preview generation duration of federated searches is unlimited. Defaults to 0.Change the value of this setting to a number above zero if you find that your federated searches are terminated because their preview generation duration exceeds a timeout set by another component in your network, such as an elastic load balancer (ELB). For example, if you have an ELB that times out your searches after 60 seconds, set max_preview_generation_duration to 55.
|
| needs_consent | Boolean | When set to true, needs_consent causes a checkbox to appear in the UI for federated provider definitions and index assignment to roles. This checkbox requires that users acknowledge that federated providers and federated index permissions can be set up in a manner detrimental to regulatory compliance. When set to false, needs_consent hides this checkbox. Defaults to true.Change this setting only when instructed to do so by Splunk Support. |
| proxyBundlesTTL | Number | Specifies the time to live in seconds of a proxy bundle on the remote search head after the last time it was used by a search. Defaults to 172800 seconds, or 2 days.Change this setting only when instructed to do so by Splunk Support. |
| remoteEventsDownloadRetryCountMax | Number | When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the maximum number of event download retries that the federated search head can make before it reports an event download failure. Related to remoteEventsDownloadRetryTimeoutMs. Defaults to 20 event download retries.Change this setting only when instructed to do so by Splunk Support. |
| remoteEventsDownloadRetryTimeoutMs | Number | When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the interval, in milliseconds, between retries of a failed event download from a federated provider. Related to remoteEventsDownloadRetryCountMax. Defaults to 1000.Change this setting only when instructed to do so by Splunk Support. |
| verbose_mode | Boolean | Specifies whether federated searches can be run in verbose mode. A setting of false restricts the ability of federated searches to run in verbose mode, while allowing federated searches to run in fast or smart mode. In transparent mode, a setting of false means that Splunk software runs only the local portion of a verbose mode federated search. In standard mode, a setting of false terminates verbose mode federated searches without displaying their results. Defaults to true.Change this setting only when instructed to do so by Splunk Support. |
Returned values
| Name | Description |
|---|---|
| disabled | Specifies whether federated search functionality is turned on for your Splunk platform deployment. If Defaults to |
| transparent_mode | Specifies whether transparent mode federated search functionality is turned on for your Splunk platform deployment. If set to true, transparent mode is turned on, which means federated search users on your deployment can run federated searches over transparent mode federated providers as well as standard mode federated providers. If set to false, transparent mode is turned off, which means federated search users on your deployment can run federated searches only over standard mode federated providers.Defaults to |
| controlCommandsFeatureEnabled | Specifies whether a federated search head can send a federated search action, such as a search cancellation, to federated providers. Does not support search pause. Defaults to true.
|
| controlCommandsMaxThreads | The maximum number of threads that can run a federated search action, such as a search cancellation, from a federated search head, on federated providers. Does not support search pause. Defaults to 5.
|
| controlCommandsMaxTimeThreshold | The maximum number of seconds that a federated search head waits for the completion of a federated search action such as a search cancellation. Does not support search pause. Defaults to 5.
|
| heartbeatEnabled | Specifies whether the federated search heartbeat mechanism is running. The heartbeat mechanism monitors the remote federated providers. If it detects problems with the federated providers the heartbeat mechanism can tell you what is wrong and take actions. Defaults to true.
|
| max_preview_generation_duration | The maximum amount of time, in seconds, that the search head can spend to generate search result previews. When this limit is reached by a federated search, preview preview generation is halted, but the search continues gathering results until it completes and displays the final result set. A setting of 0 means that the preview generation duration of federated searches is unlimited. Defaults to 0.
|
| needs_consent | When set to true, needs_consent causes a checkbox to appear in the UI for federated provider definitions and index assignment to roles. This checkbox requires that users acknowledge that federated providers and federated index permissions can be set up in a manner detrimental to regulatory compliance. When set to false, needs_consent hides this checkbox. Defaults to true.
|
| proxyBundlesTTL | Specifies the time to live in seconds of a proxy bundle on the remote search head after the last time it was used by a search. Defaults to 172800 seconds, or 2 days.
|
| remoteEventsDownloadRetryCountMax | When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the maximum number of event download retries that the federated search head can make before it reports an event download failure. Related to remoteEventsDownloadRetryTimeoutMs. Defaults to 20 event download retries.
|
| remoteEventsDownloadRetryTimeoutMs | When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the interval, in milliseconds, between retries of a failed event download from a federated provider. Related to remoteEventsDownloadRetryCountMax. Defaults to 1000.
|
| verbose_mode | Specifies whether federated searches can be run in verbose mode. A setting of false restricts the ability of federated searches to run in verbose mode, while allowing federated searches to run in fast or smart mode. In transparent mode, a setting of false means that Splunk software runs only the local portion of a verbose mode federated search. In standard mode, a setting of false terminates verbose mode federated searches without displaying their results. Defaults to true.
|
Example request and response
Turn off transparent mode federated search for this Splunk platform deployment.
XML Request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/settings/general -d transparent_mode=false
After turning on or off transparent mode, you must call _reload by running the following HTTP POST request; otherwise the change won't take effect:
curl -k -u admin:changeme -X POST https://localhost:8089/services/configs/conf-federated/_reload
XML response
...
<entry>
<title>general</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/settings/general</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="controlCommandsFeatureEnabled">1</s:key>
<s:key name="controlCommandsMaxThreads">5</s:key>
<s:key name="controlCommandsMaxTimeThreshold">5</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>controlCommandsFeatureEnabled</s:item>
<s:item>controlCommandsMaxThreads</s:item>
<s:item>controlCommandsMaxTimeThreshold</s:item>
<s:item>heartbeatEnabled</s:item>
<s:item>needs_consent</s:item>
<s:item>proxyBundlesTTL</s:item>
<s:item>verbose_mode</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="max_preview_generation_duration">0<s:key>
<s:key name="needs_consent">1</s:key>
<s:key name="proxyBundlesTTL">172800</s:key>
<s:key name="remoteEventsDownloadRetryCountMax">20</s:key>
<s:key name="remoteEventsDownloadRetryTimeoutMs">1000</s:key>
<s:key name="transparent_mode">0</s:key>
</s:dict>
</content>
</entry>
data/federated/provider
https://<host>:<mPort>/services/data/federated/provider
Use this endpoint to get a list of federated providers and post new federated provider definitions. Some of these settings are exclusive to Federated Search for Splunk, while other settings are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.
The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.
For more information about defining federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.
For more information about defining federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.
Authentication and authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.
GET
Returns a list of federated providers.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
| Name | What providers does this setting apply to? | Description |
|---|---|---|
| name | All providers | Specifies the name of the federated provider. |
| type | All providers | Specifies the federated provider type. If you have a Splunk Enterprise deployment, you can set type only to splunk, indicating that the provider is for Federated Search for Splunk.If you have a Splunk Cloud Platform deployment, you can set |
| mode | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.Defaults to |
| appContext | Applies only to Federated Search for Splunk providers | Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
Defaults to |
| aws_account_id | Applies only to Federated Search for Amazon S3 providers | Specifies a 12-digit Amazon Web Services (AWS) account ID. |
| aws_glue_tables_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. |
| aws_kms_keys_arn_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data. |
| aws_region | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software. |
| aws_s3_paths_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3. |
| database | Applies only to Federated Search for Amazon S3 providers | Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider. |
| data_catalog | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account. |
| hostPort | Applies only to Federated Search for Splunk providers | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Applies only to Federated Search for Splunk providers | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| useFSHKnowledgeObjects | Applies only to Federated Search for Splunk providers | Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head. The federated provider
|
| connectivityStatus | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
This setting is for diagnostic purposes only and cannot be set or changed by users. |
| disabled | All providers | Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches. |
Example federated provider request and response
Return a list of all federated providers, regardless of type. The sample XML response returns the details for two Federated Search for Amazon S3 providers and one Federated Search for Splunk provider.
XML request
curl -k -u admin:changeme -X GET https://localhost:8126/services/data/federated/provider
XML response
...
<entry>
<title>provider-test-fss3</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/provider-test-fss3</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="remove"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">xyz,aaa,abc,cde</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3:/b1/p1*,s3:/b2/*</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">fss3_db</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>test_provider</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider </id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
<s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">database_1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>splunk2splunk_provider_1</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="remove"/>
<link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="connectivityStatus">invalid</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">buttercupgames.splunkcloud.com:8088</s:key>
<s:key name="mode">standard</s:key>
<s:key name="serviceAccount">fedsearch-account</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">0</s:key>
</s:dict>
</content>
</entry>
</feed>
Example Federated Search for Amazon S3 request and response
Return a list of all Federated Search for Amazon S3 federated providers.
XML request
curl -k -u admin:changeme --request -X GET https://localhost:8089/services/data/federated/provider -d type=aws_s3
XML response
...
<entry>
<title>provider-test-fss3</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/provider-test-fss3</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="remove"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">xyz,aaa,abc,cde</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3:/b1/p1*,s3:/b2/*</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">fss3_db</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
<entry>
<title> aws_s3_provider </title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider </id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
<s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">database_1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
POST
Creates a new federated provider definition.
Request parameters
| Name | What providers does this setting apply to? | Type | Description |
|---|---|---|---|
| name | All providers | String | Required. Specify a unique name for the federated provider. |
| type | All providers | String | Required. Set the type of federated provider. Your options for this setting depend on whether you are running your federated searches from a Splunk Enterprise deployment or Splunk Cloud Platform deployment. If you are running federated searches from a Splunk Enterprise deployment, you can only set |
| mode | Applies only to Federated Search for Splunk providers | String | Required. Specify whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.Use transparent mode only if you are migrating to federated search from a Splunk Enterprise to Splunk Cloud Platform hybrid search setup. Federated Search for Splunk does not support setting up a mix of transparent mode and standard mode federated providers for the same local deployment, as this practice can introduce unexpected complications. All of the federated providers for a specific local deployment must use the same provider mode. Defaults tostandard.
|
| appContext | Applies only to Federated Search for Splunk providers | String | Specify an app folder name to apply an application context to federated searches over a standard mode federated provider. The application context determines which set of knowledge objects on the remote search head is applied to the federated searches you run over that provider.
See Set the app context for standard mode federated providers in Federated Search. |
| aws_account_id | Applies only to Federated Search for Amazon S3 providers | Number | Required. Provide the 12-digit ID for the Amazon Web Services (AWS) account that is the data source for your federated provider. |
| aws_glue_tables_allowlist | Applies only to Federated Search for Amazon S3 providers | String | Required. Provide a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. Each AWS Glue table in the list must have these elements:
|
| aws_kms_keys_arn_allowlist | Applies only to Federated Search for Amazon S3 providers | String | If you use the AWS Key Management Service to apply server-side encryption (SSE-KMS) to the data stored in your Amazon S3 buckets, provide a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.
Federated search for Amazon S3 supports only customer-managed AWS KMS keys. In addition, each KMS key ARN you provide in this field must belong to the AWS account you specify with the |
| aws_s3_paths_allowlist | Applies only to Federated Search for Amazon S3 providers | String | Required. Provide a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3. |
| database | Applies only to Federated Search for Amazon S3 providers | String | Required. Provide the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider. |
| hostPort | Applies only to Federated Search for Splunk providers | String | Required. Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
|
| password | Applies only to Federated Search for Splunk providers | String | Required. Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. See Service accounts and security for Federated Search for Splunk in Federated Search. |
| serviceAccount | Applies only to Federated Search for Splunk providers | String | Required. Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. See Service accounts and security for Federated Search for Splunk in Federated Search. |
Returned values
| Name | What providers does this setting apply to? | Description |
|---|---|---|
| name | All providers | Specifies the name of the federated provider. |
| type | All providers | Specifies the federated provider type. If you have a Splunk Enterprise deployment, type only be set to splunk, indicating that the provider is for Federated Search for Splunk.If you have a Splunk Cloud Platform deployment, |
| mode | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.Defaults to |
| appContext | Applies only to Federated Search for Splunk providers | Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
Defaults to |
| aws_account_id | Applies only to Federated Search for Amazon S3 providers | Specifies a 12-digit Amazon Web Services (AWS) account ID. |
| aws_glue_tables_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. |
| aws_kms_keys_arn_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data. |
| aws_region | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software. |
| aws_s3_paths_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3. |
| database | Applies only to Federated Search for Amazon S3 providers | Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider. |
| data_catalog | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account. Splunk software provides the value for this setting. |
| hostPort | Applies only to Federated Search for Splunk providers | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Applies only to Federated Search for Splunk providers | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| useFSHKnowledgeObjects | Applies only to Federated Search for Splunk providers | Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head. The federated provider
|
| connectivityStatus | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
This setting is for diagnostic purposes only and cannot be set or changed by users. |
| disabled | All providers | Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches. |
Example Federated Search for Splunk request and response
Create a new definition for a Federated Search for Splunk federated provider named provider-1.
XML request
curl -k -u admin:changeme -X POST https://localhost:8126/services/data/federated/provider -d name=provider-1 -d type=splunk -d mode=standard -d hostPort=10.225.131.242:8089 -d serviceAccount=admin -d password=Chang3d!
XML response
...
<entry>
<title>provider-1</title>
<id>https://localhost:8126/servicesNS/nobody/system/data/federated/provider/provider-1</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="connectivityStatus">unknown</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">10.225.131.242:8089</s:key>
<s:key name="mode">standard</s:key>
<s:key name="serviceAccount">admin</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">0</s:key>
</s:dict>
</content>
</entry>
</feed>
Example Federated Search for Amazon S3 request and response
Create a new definition for a Federated Search for Splunk federated provider named aws_s3_provider.
XML request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider -d name=aws_s3_provider -d type=aws_s3 -d aws_account_id=123456789012 -d database=database_1 -d aws_s3_paths_allowlist="s3://bucket1,s3://bucket2/folder2/" -d aws_kms_keys_arn_allowlist=arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003 -d aws_glue_tables_allowlist=table_1,table_2
XML response
...
<entry>
<title>test_provider</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
<s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">database_1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
</feed>
data/federated/provider/turnOffProvidersInBatch
https://<host>:<mPort>/services/data/federated/provider/turnOffProvidersInBatch
Use this endpoint to turn off groups of federated providers with one REST API call. This endpoint applies to federated providers for Federated Search for Splunk and Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.
When federated providers are turned off, their federated indexes are unavailable for federated searches.
After you turn off a group of federated providers with this endpoint, individually turn each deactivated federated provider back on with the data/federated/provider/{federated_provider_name}/enable endpoint.
The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.
For more information about defining federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.
For more information about defining federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.
Authentication and authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.
POST
Turns off all federated providers. Can also turn off all federated providers belonging to a specific federated search type.
Request parameters
| Name | What providers does this setting apply to? | Type | Description |
|---|---|---|---|
| type | All providers | String | Optional Provide a filter for the federated provider type. Your options for this setting depend on whether you are using Splunk Enterprise or Splunk Cloud Platform. If you are running federated searches from a Splunk Enterprise deployment, you can only filter on |
Returned values
None specific to this method.
Example XML requests
Turn off all federated providers, regardless of type.
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider/turnOffProvidersInBatch
Turn off all Federated Search for Splunk federated providers.
curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/turnOffProvidersInBatch -d type=splunk
Turn off all Federated Search for Amazon S3 federated providers.
curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/turnOffProvidersInBatch -d type=aws_s3
XML response
<title>federated-provider</title>
<id>https://localhost:8089/services/data/federated/provider</id>
<updated>2024-01-12T15:42:21-08:00</updated>
<generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/provider/_new" rel="create"/>
<link href="/services/data/federated/provider/_reload" rel="_reload"/>
<link href="/services/data/federated/provider/_acl" rel="_acl"/>
<link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
<link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
<link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
<link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
<link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
<link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/federated/provider/{federated_provider_name}
https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}
Use this endpoint to:
- Retrieve a specific federated provider definition.
- Update a specific federated provider definition.
- Delete a specific federated provider definition.
Some of the settings you can review and update with these endpoints are exclusive to Federated Search for Splunk, while other settings are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.
The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.
For more information about defining federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.
For more information about defining federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.
Authentication and Authorization
Usage of the POST and DELETE operations for this endpoint is restricted to roles that have the admin_all_objects capability.
GET
Returns a definition of a specific {federated_provider_name}.
Request parameters
None specific to this method.
Returned values
| Name | What providers does this setting apply to? | Description |
|---|---|---|
| name | All providers | Specifies the name of the federated provider. |
| type | All providers | Specifies the federated provider type. If you have a Splunk Enterprise deployment, you can set type only to splunk, indicating that the provider is for Federated Search for Splunk.If you have a Splunk Cloud Platform deployment, you can set |
| mode | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.Defaults to |
| appContext | Applies only to Federated Search for Splunk providers | Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
Defaults to |
| aws_account_id | Applies only to Federated Search for Amazon S3 providers | Specifies a 12-digit Amazon Web Services (AWS) account ID. |
| aws_glue_tables_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. |
| aws_kms_keys_arn_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data. |
| aws_region | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software. |
| aws_s3_paths_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3. |
| database | Applies only to Federated Search for Amazon S3 providers | Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider. |
| data_catalog | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account. |
| hostPort | Applies only to Federated Search for Splunk providers | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Applies only to Federated Search for Splunk providers | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| useFSHKnowledgeObjects | Applies only to Federated Search for Splunk providers | Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head. The federated provider
|
| connectivityStatus | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
This setting is for diagnostic purposes only and cannot be set or changed by users. |
| disabled | All providers | Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches. |
Example Federated Search for Splunk request and response
Return the definition for the my_federated_provider federated provider.
XML Request
curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/provider/my_federated_provider
XML response
...
<entry>
<title>my_federated_provider</title>
<id>/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>appContext</s:item>
<s:item>hostPort</s:item>
<s:item>password</s:item>
<s:item>serviceAccount</s:item>
<s:item>type</s:item>
<s:item>useFSHKnowledgeObjects</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">10.225.131.242:8089</s:key>
<s:key name="mode">standard</s:key>
<s:key name="serviceAccount">user1</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">1</s:key>
</s:dict>
</content>
</entry>
Example Federated Search for Amazon S3 request and response
Return the definition for the aws_s3_provider federated provider.
XML Request
curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/provider/aws_s3_provider
XML response
...
<entry>
<title> aws_s3_provider</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
<s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">database_1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
POST
Updates a definition for a specific {federated_provider_name}.
Request parameters
At least one argument is required.
| Name | What providers does this setting apply to? | Type | Description |
|---|---|---|---|
| appContext | Applies only to Federated Search for Splunk providers | String | Specify an app folder name to apply an application context to federated searches over a standard mode federated provider. The application context determines which set of knowledge objects on the remote search head is applied to the federated searches you run over that provider.
See Set the app context for standard mode federated providers in Federated Search. |
| aws_account_id | Applies only to Federated Search for Amazon S3 providers | Number | Required. Provide the 12-digit ID for the Amazon Web Services (AWS) account that is the data source for your federated provider. |
| aws_glue_tables_allowlist | Applies only to Federated Search for Amazon S3 providers | String | Required. Provide a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. Each AWS Glue table in the list must have these elements:
|
| aws_kms_keys_arn_allowlist | Applies only to Federated Search for Amazon S3 providers | String | If you use the AWS Key Management Service to apply server-side encryption (SSE-KMS) to the data stored in your Amazon S3 buckets, provide a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.
Federated search for Amazon S3 supports only customer-managed AWS KMS keys. In addition, each KMS key ARN you provide in this field must belong to the AWS account you specify with the |
| aws_s3_paths_allowlist | Applies only to Federated Search for Amazon S3 providers | String | Required. Provide a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3. |
| hostPort | Applies only to Federated Search for Splunk providers | String | Required. Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
|
| password | Applies only to Federated Search for Splunk providers | String | Required. Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. See Service accounts and security for Federated Search for Splunk in Federated Search. |
| serviceAccount | Applies only to Federated Search for Splunk providers | String | Required. Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider. See Service accounts and security for Federated Search for Splunk in Federated Search. |
Returned values
| Name | What providers does this setting apply to? | Description |
|---|---|---|
| name | All providers | Specifies the name of the federated provider. |
| type | All providers | Specifies the federated provider type. If you have a Splunk Enterprise deployment, you can set type only to splunk, indicating that the provider is for Federated Search for Splunk.If you have a Splunk Cloud Platform deployment, you can set |
| mode | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.Defaults to |
| appContext | Applies only to Federated Search for Splunk providers | Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
Defaults to |
| aws_account_id | Applies only to Federated Search for Amazon S3 providers | Specifies a 12-digit Amazon Web Services (AWS) account ID. |
| aws_glue_tables_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. |
| aws_kms_keys_arn_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data. |
| aws_region | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software. |
| aws_s3_paths_allowlist | Applies only to Federated Search for Amazon S3 providers | Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3. |
| database | Applies only to Federated Search for Amazon S3 providers | Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider. |
| data_catalog | Applies only to Federated Search for Amazon S3 providers | Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account. Splunk software provides the value for this setting. |
| hostPort | Applies only to Federated Search for Splunk providers | Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name. |
| serviceAccount | Applies only to Federated Search for Splunk providers | Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches. |
| useFSHKnowledgeObjects | Applies only to Federated Search for Splunk providers | Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head. The federated provider
|
| connectivityStatus | Applies only to Federated Search for Splunk providers | Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
This setting is for diagnostic purposes only and cannot be set or changed by users. |
| disabled | All providers | Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches. |
Example Federated Search for Splunk request and response
For the federated provider named my_federated_provider, change the serviceAccount setting to eagle01, to match an update to the service account user on that federated provider.
XML request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider/my_federated_provider -d serviceAccount=eagle01
XML response
<entry>
<title>my_federated_provider</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="appContext">search</s:key>
<s:key name="connectivityStatus">valid</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="hostPort">10.224.150.77:58677</s:key>
<s:key name="mode">standard</s:key>
<s:key name="serviceAccount">eagle01</s:key>
<s:key name="type">splunk</s:key>
<s:key name="useFSHKnowledgeObjects">0</s:key>
</s:dict>
</content>
</entry>
Example Federated Search for Amazon S3 request and response
For the federated provider named aws_s3_provider , change the aws_glue_tables_allowlist setting to table_1,table_2,table3,table4, to include table3 and table4, two new AWS Glue tables that you added to the AWS Glue database.
XML request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider/aws_s3_provider -d aws_glue_tables_allowlist=table_1,table_2,table3,table4
XML response
<entry>
<title>test_provider</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="aws_account_id">123456789012</s:key>
<s:key name="aws_glue_tables_allowlist">table3,table4,table_1,table_2</s:key>
<s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
<s:key name="aws_region">us-west-2</s:key>
<s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
<s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
<s:key name="database">database_1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="type">aws_s3</s:key>
</s:dict>
</content>
</entry>
DELETE
Deletes a definition for a specific {federated_provider_name}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example Federated Search for Splunk request and response
Delete the [provider://my_federated_provider] stanza from etc/system/local/federated.conf.
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/provider/my_federated_provider
XML response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>federated-provider</title>
<id>/services/data/federated/provider</id>
<updated>2021-04-27T12:47:36-07:00</updated>
<generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/provider/_new" rel="create"/>
<link href="/services/data/federated/provider/_reload" rel="_reload"/>
<link href="/services/data/federated/provider/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
Example Federated Search for Amazon S3 request and response
Delete the [provider://aws_s3_provider] stanza from etc/system/local/federated.conf.
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/provider/aws_s3_provider
XML Response
<title>federated-provider</title>
<id>https://localhost:8089/services/data/federated/provider</id>
<updated>2024-01-12T16:15:18-08:00</updated>
<generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/provider/_new" rel="create"/>
<link href="/services/data/federated/provider/_reload" rel="_reload"/>
<link href="/services/data/federated/provider/_acl" rel="_acl"/>
<link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
<link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
<link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
<link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
<link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
<link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/federated/provider/{federated_provider_name}/disable
https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}/disable
Use this endpoint to turn a specific federated provider off. When a federated provider is turned off, all federated indexes associated with that provider are not searchable in federated searches. This endpoint applies to federated providers for Federated Search for Splunk and for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.
The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.
For more information about federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.
For more information about federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.
Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.
POST
Turn off a specific federated provider.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example federated search request and response
Turn off a provider named aws_s3_provider.
XML request
curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/aws_s3_provider/disable
XML response
<entry>
<title>federated-provider</title>
<id>https://localhost:8089/services/data/federated/provider</id>
<updated>2024-01-12T15:42:21-08:00</updated>
<generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/provider/_new" rel="create"/>
<link href="/services/data/federated/provider/_reload" rel="_reload"/>
<link href="/services/data/federated/provider/_acl" rel="_acl"/>
<link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
<link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
<link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
<link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
<link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
<link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/federated/provider/{federated_provider_name}/enable
https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}/enable
Use this endpoint to turn a federated provider back on after you have turned it off. When a federated provider is turned on, all federated indexes associated with that provider can be searched in federated searches. This endpoint applies to federated providers for Federated Search for Splunk and federated providers for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.
The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.
For more information about federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.
For more information about federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.
Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.
POST
Turns a specific federated index on.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example request and response
Turn on a federated provider named aws_s3_provider.
XML request
curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/aws_s3_provider/enable
XML response
<title>federated-provider</title>
<id>https://localhost:8089/services/data/federated/provider</id>
<updated>2024-01-12T15:42:21-08:00</updated>
<generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/provider/_new" rel="create"/>
<link href="/services/data/federated/provider/_reload" rel="_reload"/>
<link href="/services/data/federated/provider/_acl" rel="_acl"/>
<link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
<link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
<link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
<link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
<link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
<link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/federated/index
https://<host>:<mPort>/services/data/federated/index
Use this endpoint to get a list of federated indexes and post new federated index definitions. Some of these federated index settings are exclusive to Federated Search for Splunk, while others are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.
For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.
For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.
Authentication and authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects and indexes_edit capabilities.
GET
Returns a list of federated indexes.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.
The data/indexes endpoint is available only to users of Splunk Enterprise.
| Name | What kinds of federated indexes does this setting apply to? | Description |
|---|---|---|
| name | All federated indexes | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | All federated indexes | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | All federated indexes | Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.
|
| federated.timefield | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time field that acts like an event timestamp in the AWS Glue table to which this index maps. |
| federated.timeformat | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time format variable or custom time format variable string that matches the federated.timefield.
|
| federated.unixtimefield | Applies only to Federated Search for Amazon S3 federated indexes | An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.
|
| federated.partition.time.fields | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on. |
| federated.partition.time.formats | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
|
| federated.partition.time.types | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
|
| federated.partition.time.tz | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.
|
Example request and response
Get the complete list of federated indexes. The following XML response provides a sample of one returned Federated Search for Splunk federated index record.
XML Request
curl -k -u admin:changeme -X GET https://localhost:8126/services/data/federated/index
XML response
...
<entry>
<title>federated:remote_index_df_1</title>
<id>https://localhost:8126/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">index:index_df_1</s:key>
<s:key name="federated.provider">provider-1</s:key>
</s:dict>
</content>
</entry>
POST
Creates a new federated index definition.
These tables are limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.
The data/indexes endpoint is available only to users of Splunk Enterprise.
Request parameters
| Name | What kinds of federated indexes does this setting apply to? | Type | Description |
|---|---|---|---|
| name | All federated indexes | String | Required. Specify a unique name for the federated index, using the syntax federated:<index_name>. Each federated index maps to only one remote dataset on a federated provider, so the name should reference that dataset.Index names have the following limitations:
|
| federated.provider | All federated indexes | String | Required. Specify the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | All federated indexes | String | Required. Specify the dataset on the federated.provider to which this federated index maps. The dataset is identified by its type and name, using the following syntax: <prefix>:<remote_name>.If the
If the |
| federated.timefield | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies the name of a time field that acts like an event timestamp in the AWS Glue table to which this index maps. In other words, the name of the field in the AWS Glue table that behaves like _time in the Splunk search processing language. You must provide a federated.timefield if you want to use time-related functions to search your remote Amazon S3 data.
|
| federated.timeformat | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies the time format variable or custom time format variable string that matches the federated.timefield. The time format variable string must be in Splunk strptime() format.
|
| federated.unixtimefield | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies an alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.
|
| federated.partition.time.fields | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies a comma-delimited list of time-related fields in your remote data. These fields govern the partitions by which remote data is organized in non-Splunk-platform federated providers (such as Amazon S3 federated providers).
|
| federated.partition.time.formats | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies a comma-delimited list of time format variable strings that correspond to the time fields listed by the federated.partition.time.fields setting. The '%w'; and '%JT' time format variables are not supported by this setting. See Date and time format variables in the Search manual.
|
| federated.partition.time.types | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies a comma-delimited list of data type values that correspond to the time fields listed by the federated.partition.time.fields setting. The supported time field types are string, integer, and date.
|
| federated.partition.time.tz | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies the time zone to use for the time fields listed in federated.partition.time.fields. Use only canonical time zone names such as America/Los_Angeles.
|
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.
The data/indexes endpoint is available only to users of Splunk Enterprise.
| Name | What kinds of federated indexes does this setting apply to? | Description |
|---|---|---|
| name | All federated indexes | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | All federated indexes | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | All federated indexes | Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.
|
| federated.timefield | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time field in the AWS Glue table to which this index maps that acts like an event timestamp. |
| federated.timeformat | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time format variable or custom time format variable string that matches the federated.timefield.
|
| federated.unixtimefield | Applies only to Federated Search for Amazon S3 federated indexes | An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.
|
| federated.partition.time.fields | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on. |
| federated.partition.time.formats | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
|
| federated.partition.time.types | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
|
| federated.partition.time.tz | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.
|
Example Federated Search for Splunk request and response
Create a new definition for a Federated Search for Splunk federated index named airports-east.
XML Request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/index -d name=federated:airports-east -d federated.provider=FenrisAirNYC -d federated.dataset=index:airports-east
XML response
<entry>
<title>federated:fs-airports-east</title>
<id>/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
<s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
<s:key name="bucketMerge.minMergeSizeMB">750</s:key>
<s:key name="bucketMerging">0</s:key>
<s:key name="coldPath.maxDataSizeMB">0</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="datatype">event</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="enableDataIntegrityControl">0</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="enableTsidxReduction">0</s:key>
<s:key name="federated.dataset">index:airports-east</s:key>
<s:key name="federated.provider">FenrisAirNYC</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath.maxDataSizeMB">0</s:key>
<s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
<s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
<s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
<s:key name="hotBucketStreaming.reportStatus">0</s:key>
<s:key name="hotBucketStreaming.sendSlices">0</s:key>
<s:key name="hotBucketTimeRefreshInterval">60</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="journalCompression">gzip</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">1</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="metric.compressionBlockSize">1024</s:key>
<s:key name="metric.enableFloatingPointCompression">1</s:key>
<s:key name="metric.maxHotBuckets">1</s:key>
<s:key name="metric.splitByIndexKeys"></s:key>
<s:key name="metric.stubOutRawdataJournal">1</s:key>
<s:key name="metric.timestampResolution">s</s:key>
<s:key name="metric.tsidxTargetSizeMB">1500</s:key>
<s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
<s:key name="minStreamGroupQueueSize">2000</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceInactiveIndexesPeriod">60</s:key>
<s:key name="serviceMetaPeriod">1</s:key>
<s:key name="splitByIndexKeys"></s:key>
<s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
<s:key name="suspendHotRollByDeleteQuery">0</s:key>
<s:key name="sync">0</s:key>
<s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
<s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
<s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
<s:key name="tsidxTargetSizeMB">1500</s:key>
<s:key name="tsidxWritingLevel">1</s:key>
<s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
</s:dict>
</content>
</entry>
Example Federated Search for Amazon S3 request and response
Create a new definition for a Federated Search for Amazon S3 federated index named fss3_index.
XML Request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/index -d name=federated:fss3_index -d federated.provider=my_federated_provider -d federated.dataset=aws_glue_table:table_1 -d federated.timefield=field_1 -d federated.timeformat=%25s
XML Response
<entry>
<title>federated:fss3_index</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">aws_glue_table:table_1</s:key>
<s:key name="federated.provider">my_federated_provider</s:key>
<s:key name="federated.timefield">field_1</s:key>
<s:key name="federated.timeformat">%s</s:key>
<s:key name="federated.unixtimefield">_time</s:key>
</s:dict>
</content>
</entry>
</feed>
data/federated/index/{federated_index_name}
https://<host>:<mPort>/services/data/federated/provider/{federated_index_name}
Use this endpoint to:
- Retrieve a specific federated index definition.
- Update a specific federated index definition.
- Delete a specific federated index definition.
Some of these federated index settings are exclusive to Federated Search for Splunk, while others are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.
For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.
For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.
Authentication and Authorization
Usage of the POST and DELETE operations for this endpoint is restricted to roles that have the admin_all_objects and indexes_edit capabilities.
GET
Returns a definition of a specific {federated_index_name}.
Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.
Request parameters
None specific to this method. This method can use pagination and filtering parameters.
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.
The data/indexes endpoint is available only to users of Splunk Enterprise.
| Name | What kinds of federated indexes does this setting apply to? | Description |
|---|---|---|
| name | All federated indexes | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | All federated indexes | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | All federated indexes | Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.
|
| federated.timefield | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time field that acts like an event timestamp in the AWS Glue table to which this index maps. |
| federated.timeformat | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time format variable or custom time format variable string that matches the federated.timefield.
|
| federated.unixtimefield | Applies only to Federated Search for Amazon S3 federated indexes | An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.
|
| federated.partition.time.fields | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on. |
| federated.partition.time.formats | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
|
| federated.partition.time.types | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
|
| federated.partition.time.tz | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.
|
Example Federated Search for Splunk request and response
Return the definition for a Federated Search for Splunk federated index named remote_index_df_1.
XML Request
curl -k -u admin:changeme -X GET https://localhost:8126/services/data/federated/index/federated:remote_index_df_1
XML response
<entry>
<title>federated:remote_index_df_1</title>
<id>https://localhost:8126/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">index:index_df_1</s:key>
<s:key name="federated.provider">provider-1</s:key>
</s:dict>
</content>
</entry>
Example Federated Search for Amazon S3 request and response
Return the definition for a Federated Search for Amazon S3 federated index named fss3_index.
XML Request
curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/index/fss3_index
XML response
<entry>
<title>federated:fss3_index</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">aws_glue_table:table_1</s:key>
<s:key name="federated.provider">aws_s3_provider</s:key>
<s:key name="federated.timefield">field_1</s:key>
<s:key name="federated.timeformat">%s</s:key>
<s:key name="federated.unixtimefield">_time</s:key>
</s:dict>
</content>
</entry>
</feed>
POST
Updates a definition for a specific {federated_index_name}.
Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.
These tables are limited to settings specific to federated indexes. For descriptions of other index settings, see the entry for data/indexes.
The data/indexes endpoint is available only to users of Splunk Enterprise.
Request parameters
| Name | What kinds of federated indexes does this setting apply to? | Type | Description |
|---|---|---|---|
| federated.timefield | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies the name of a time field that acts like an event timestamp in the AWS Glue table to which this index maps. In other words, the name of the field in the AWS Glue table that behaves like _time in the Splunk search processing language. You must provide a federated.timefield if you want to use time-related functions to search your remote Amazon S3 data.
|
| federated.timeformat | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies the time format variable or custom time format variable string that matches the federated.timefield. The time format variable string must be in Splunk strptime() format.
|
| federated.unixtimefield | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies an alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.
|
| federated.partition.time.fields | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies a comma-delimited list of time-related fields in your remote data. These fields govern the partitions by which remote data is organized in non-Splunk-platform federated providers (such as Amazon S3 federated providers).
|
| federated.partition.time.formats | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies a comma-delimited list of time format variable strings that correspond to the time fields listed by the federated.partition.time.fields setting. The '%w'; and '%JT' time format variables are not supported by this setting. See Date and time format variables in the Search manual.
|
| federated.partition.time.types | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies a comma-delimited list of data type values that correspond to the time fields listed by the federated.partition.time.fields setting. The supported time field types are string, integer, and date.
|
| federated.partition.time.tz | Applies only to Federated Search for Amazon S3 federated indexes | String | Optional. Specifies the time zone to use for the time fields listed in federated.partition.time.fields. Use only canonical time zone names such as America/Los_Angeles.
|
Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.
The data/indexes endpoint is available only to users of Splunk Enterprise.
| Name | What kinds of federated indexes does this setting apply to? | Description |
|---|---|---|
| name | All federated indexes | Specifies the name of the federated index. Uses the syntax federated:<index_name>.
|
| federated.provider | All federated indexes | Specifies the federated provider that contains the dataset to which this federated index maps. |
| federated.dataset | All federated indexes | Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.
|
| federated.timefield | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time field in the AWS Glue table to which this index maps that acts like an event timestamp. |
| federated.timeformat | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the time format variable or custom time format variable string that matches the federated.timefield.
|
| federated.unixtimefield | Applies only to Federated Search for Amazon S3 federated indexes | An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.
|
| federated.partition.time.fields | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on. |
| federated.partition.time.formats | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
|
| federated.partition.time.types | Applies only to Federated Search for Amazon S3 federated indexes | Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
|
| federated.partition.time.tz | Applies only to Federated Search for Amazon S3 federated indexes | Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.
|
Example Federated Search for Splunk request and response
Update the dataset mapping for the Federated Search for Splunk federated:remote_index_df_1 federated index.
XML Request
curl -k -u admin:changeme -X POST https://localhost:8126/services/data/federated/index/federated:remote_index_df_1 -d federated.dataset=index:index_df_1_new
XML response
<entry>
<title>federated:remote_index_df_1</title>
<id>https://localhost:8126/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">index:index_df_1_new</s:key>
<s:key name="federated.provider">provider-1</s:key>
</s:dict>
</content>
</entry>
Example Federated Search for Amazon S3 request and response
Update the federated.timefield for the Federated Search for Amazon S3 fss3_index federated index.
XML Request
curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/index/fss3_index -d federated.timefield=field_2
XML response
<entry>
<title>federated:fss3_index</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">aws_glue_table:table_1</s:key>
<s:key name="federated.provider">test_provider</s:key>
<s:key name="federated.timefield">field_2</s:key>
<s:key name="federated.timeformat">%s</s:key>
<s:key name="federated.unixtimefield">_time</s:key>
</s:dict>
</content>
</entry>
</feed>
DELETE
Deletes a definition for a specific {federated_index_name}.
Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example Federated Search for Splunk request and response
Delete the my_federated_index federated index.
XML Request
curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/index/federated:my_federated_index
XML response
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>federated-index</title>
<id>/services/data/federated/index</id>
<updated>2021-04-27T12:57:06-07:00</updated>
<generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/index/_new" rel="create"/>
<link href="/services/data/federated/index/_reload" rel="_reload"/>
<link href="/services/data/federated/index/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
Example Federated Search for Splunk request and response
Delete the fss3_index federated index.
XML Request
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/federated/index/fss3_index
XML response
<title>federated-index</title>
<id>https://localhost:8089/services/data/federated/index</id>
<updated>2024-01-12T16:13:04-08:00</updated>
<generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/index/_new" rel="create"/>
<link href="/services/data/federated/index/_reload" rel="_reload"/>
<link href="/services/data/federated/index/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
data/federated/index/{federated_index_name}/disable
https://<host>:<mPort>/services/data/federated/index/{federated_index_name}/disable
Use this endpoint to turn a specific federated index off. When a federated index is turned off, that federated index is not searchable in federated searches. This endpoint applies to federated indexes for Federated Search for Splunk and for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.
For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.
For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.
Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.
POST
Turn off a specific federated index.
Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example federated search request and response
Turn off a Federated Search for Amazon S3 index named fss3_index.
XML request
curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/index/fss3_index/disable
XML response
<entry>
<title>federated:fss3_index</title> <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">aws_glue_table:table_1</s:key>
<s:key name="federated.provider">test_provider</s:key>
<s:key name="federated.timefield">field_1</s:key>
<s:key name="federated.timeformat">%s</s:key>
<s:key name="federated.unixtimefield">_time</s:key>
</s:dict>
</content>
</entry>
data/federated/index/{federated_index_name}/enable
https://<host>:<mPort>/services/data/federated/index/{federated_index_name}/enable
Use this endpoint to turn a federated index back on after you have turned it off. When a federated index is turned on, it can be searched in federated searches. This endpoint applies to federated indexes for Federated Search for Splunk and federated indexes for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.
For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.
For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.
Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.
POST
Turns a specific federated index on.
Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.
Request parameters
None specific to this method.
Returned values
None specific to this method.
Example request and response
Turn on a Federated Search for Amazon S3 federated index named fss3_index.
XML request
curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/index/fss3_index/enable
XML response
<entry>
<title>federated:fss3_index</title> <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
<updated>1969-12-31T16:00:00-08:00</updated>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
<link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="federated.dataset">aws_glue_table:table_1</s:key>
<s:key name="federated.provider">test_provider</s:key>
<s:key name="federated.timefield">field_1</s:key>
<s:key name="federated.timeformat">%s</s:key>
<s:key name="federated.unixtimefield">_time</s:key>
</s:dict>
</content>
</entry>
| Access endpoint descriptions | Knowledge endpoint descriptions |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.1.2312, 9.2.2403
Download manual
Feedback submitted, thanks!