Overview of the federated search options for the Splunk platform
Federated search, in its most broad definition, is a tool that allows you to search remote datasets throughout your data ecosystem from a single Splunk platform search interface. With federated search, you can break down your data collection silos and get cross-functional insights into data patterns and correlations that previously were unavailable to you, while managing security requirements with role-based data access controls.
The Splunk platform currently offers two federated search options: Federated Search for Splunk, and Federated Search for Amazon S3.
Federated Search for Splunk
Federated Search for Splunk grants you a unified view of the Splunk platform data stored across your entire organization. With a single search you can efficiently return events from any Splunk Cloud Platform or Splunk Enterprise environment to which you have access.
Federated Search for Splunk is a feature that is available to users of Splunk Cloud Platform and Splunk Enterprise. You can configure Federated Search for Splunk between any combination of those two environment types (Enterprise to Enterprise, Cloud to Cloud, Enterprise to Cloud, and Cloud to Enterprise. You can also use Federated Search for Splunk to search multiple remote Splunk environments from the same local search head.
You can set up Federated Search for Splunk with just a few steps. To get started, see About federated search for Splunk.
Federated Search for Amazon S3 (for Splunk Cloud Platform only)
Federated Search for Amazon S3 lets you perform a remote search of the datasets in your Amazon S3 buckets, allowing you to retrieve the search results directly in your Splunk Cloud Platform instance for correlation, enrichment, and analysis, all without ever having to ingest or index that data beforehand.
Possible uses of Federated Search for Amazon S3 include, but are certainly not limited to the following scenarios:
- Threat hunting over historical data
- Provision of as-needed dataset access for compliance
- Creation of statistical reports and analytical searches that leverage historical data
- Exploration of stored Amazon S3 data, in the interest of locating data to ingest to Splunk
FS-S3 is available only for Splunk Cloud Platform deployments in AWS regions. To activate Federated Search for Amazon S3, you must contact your Splunk sales representative. For more information, see About Federated Search for Amazon S3.
About Federated Search for Splunk |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408, 9.0.2305
Feedback submitted, thanks!