Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Use federated searches in transparent mode with Splunk Enterprise Security

Run federated searches in transparent mode to search datasets beyond your local Splunk platform deployment. Using federated search with Splunk Enterprise Security provides a holistic view of datasets to identify threats across multiple Splunk Platform deployments, for both Splunk Cloud and Splunk Enterprise. Transparent mode is especially useful if your datasets are partly on Cloud and partly on-prem and you plan to migrate from on-prem to Cloud. Federated search in transparent mode is subject to the constraints of the Splunk Platform. For more information, see About the standard and transparent modes in the Splunk Cloud Platform Federated Search manual.

For more information, see About federated search in the Splunk Cloud Platform Federated Search manual.

Federated search in standard mode is not supported on Splunk Enterprise Security. The ES administrator must ensure that Enterprise Security is installed on the federated search head and not the remote search head. Federated search might not work as expected if Splunk Enterprise Security is installed on a remote search head. Using federated search to access deployments in different geographical locations might also impact regulatory requirements.

Limitations of using federated search with Splunk Enterprise Security in transparent mode

Following are some limitations of using federated search with Splunk Enterprise Security irrespective of whether your Enterprise Security instance is installed on a remote search head or not:

These limitations apply to versions prior to Splunk Platform version 9.1.5, 9.2.2, and 9.3.0. These limitations do not apply if you upgrade to Splunk Platform versions 9.1.5, 9.2.2, and 9.3.0.

  • The makeresults command fails to write events to custom indexes. Some correlation searches depend on the command to generate only a single event. Therefore, using the command for federated search might cause issues since it returns results for all federated providers that are added to the deployment. However, this issue impacts only custom searches and does not have a major impact on Splunk Enterprise Security.
  • Threat match searches in the threat intelligence framework might not properly match against the search results that come from the remote search head. However, threat matching searches work locally on the federated search head.

See also

Migrate from hybrid search to Federated Search for Splunk in the Splunk Cloud Platform Federated Search manual

Overview of the federated search options for the Splunk platform in the Splunk Cloud Platform Federated Search manual

Search over a transparent mode federated provider in the Splunk Cloud Platform Federated Search manual

Service accounts and security for Federated Search for Splunk in the Splunk Cloud Platform Federated Search manual

Last modified on 13 November, 2024
Enable behavioral analytics service on Splunk Enterprise Security   Use Federated Analytics with Splunk Enterprise Security for threat detection in Amazon Security Lake (ASL) datasets

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters