Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use federated searches in transparent mode with Splunk Enterprise Security

Run federated searches in transparent mode to search datasets beyond your local Splunk platform deployment. Using federated search with Splunk Enterprise Security provides a holistic view of datasets to identify threats across multiple Splunk Platform deployments, for both Splunk Cloud and Splunk Enterprise. Transparent mode is especially useful if your datasets are partly on Cloud and partly on-prem and you plan to migrate from on-prem to Cloud.

For more information, see About federated search in the Splunk Enterprise Search manual.

Federated search in standard mode is not supported on Splunk Enterprise Security. The ES administrator must ensure that Enterprise Security is installed on the federated search head and not the remote search head. Federated search might not work as expected if Splunk Enterprise Security is installed on a remote search head. Using federated search to access deployments in different geographical locations might also impact regulatory requirements.

Limitations of using federated search with Splunk Enterprise Security in transparent mode

Following are some limitations of using federated search with Splunk Enterprise Security irrespective of whether your Enterprise Security instance is installed on a remote search head or not:

  • The makeresults command fails to write events to custom indexes. Some correlation searches depend on the command to generate only a single event. Therefore, using the command for federated search might cause issues since it returns results for all federated providers that are added to the deployment. However, this issue impacts only custom searches and does not have a major impact on Splunk Enterprise Security.
  • Threat match searches in the threat intelligence framework might not properly match against the search results that come from the remote search head. However, threat matching searches work locally on the federated search head.

Federated search in transparent mode is subject to the constraints of Splunk Platform. For more information, see [http://docs.splunk.com/Documentation/Splunk/9.2.1/FederatedSearch/fss2sAbout#About_the_standard_and_transparent_modes About the standard and transparent modes].

See also

Migrate from hybrid search to Federated Search for Splunk in the Splunk Cloud Platform Federated Search manual

Overview of the federated search options for the Splunk platform in the Splunk Cloud Platform Federated Search manual

Search over a transparent mode federated provider in the Splunk Cloud Platform Federated Search manual

Service accounts and security for Federated Search for Splunk in the Splunk Cloud Platform Federated Search manual

Last modified on 03 April, 2024
PREVIOUS
Enable behavioral analytics service on Splunk Enterprise Security 		  NEXT
Overview of Incident Review in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters