Use federated searches in transparent mode with Splunk Enterprise Security
Run federated searches in transparent mode to search datasets beyond your local Splunk platform deployment. Using federated search with Splunk Enterprise Security provides a holistic view of datasets to identify threats across multiple Splunk Platform deployments, for both Splunk Cloud and Splunk Enterprise. Transparent mode is especially useful if your datasets are partly on Cloud and partly on-prem and you plan to migrate from on-prem to Cloud. Federated search in transparent mode is subject to the constraints of the Splunk Platform. For more information, see About the standard and transparent modes.
For more information, see About federated search in the Splunk Enterprise Search manual.
Federated search in standard mode is not supported on Splunk Enterprise Security. The ES administrator must ensure that Enterprise Security is installed on the federated search head and not the remote search head. Federated search might not work as expected if Splunk Enterprise Security is installed on a remote search head. Using federated search to access deployments in different geographical locations might also impact regulatory requirements.
Limitations of using federated search with Splunk Enterprise Security in transparent mode
Following are some limitations of using federated search with Splunk Enterprise Security irrespective of whether your Enterprise Security instance is installed on a remote search head or not:
These limitations apply to versions prior to Splunk Platform version 9.1.5, 9.2.2, and 9.3.0. These limitations do not apply if you upgrade to Splunk Platform versions 9.1.5, 9.2.2, and 9.3.0.
- The makeresults command fails to write events to custom indexes. Some correlation searches depend on the command to generate only a single event. Therefore, using the command for federated search might cause issues since it returns results for all federated providers that are added to the deployment. However, this issue impacts only custom searches and does not have a major impact on Splunk Enterprise Security.
- Threat match searches in the threat intelligence framework might not properly match against the search results that come from the remote search head. However, threat matching searches work locally on the federated search head.
See also
Migrate from hybrid search to Federated Search for Splunk in the Splunk Cloud Platform Federated Search manual
Overview of the federated search options for the Splunk platform in the Splunk Cloud Platform Federated Search manual
Search over a transparent mode federated provider in the Splunk Cloud Platform Federated Search manual
Service accounts and security for Federated Search for Splunk in the Splunk Cloud Platform Federated Search manual
Enable behavioral analytics service on Splunk Enterprise Security | Overview of Incident Review in |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!