Splunk® IT Service Intelligence

Event Analytics Manual

Configure Event Analytics for federated search head in ITSI

Federated search can be configured with ITSI Event Analytics to ingest events from a remote search head provider, and get notable events to a federated search head.


Requirement Description
Turn on federated search You must have federated search turned on.

Configure federated search

Follow these steps to configure federated search. For more extensive steps, see About Federated Search for Splunk.

  1. On the remote federated provider, create the federatedrole role, with admin inheritance.
  2. On the remote federated provider, create a user called federateduser that has the federatedrole role.
  3. On the federated search head, select Settings then Federated search.
  4. Select Add federated provider.
  5. Set the Provider mode to the Transparent mode.
  6. Enter a provider name and set the remote host with a management port. For example, federatedprovider.splunkcloud.com:8089
  7. Provide the username and password credentials of the federateduser account.
  8. Select Test connection to verify the search, then select Save.

Disable the Rules Engine and correlation searches

Real-time searches are currently not supported in federated search mode. Any events stored in itsi_tracked_alerts will not be found by the itsi_event_grouping search. However, the events will be found by the ITSI Rules Engine periodic backfill searches, which run every 12 minutes.

To ensure that event grouping on the federated search head does not conflict with the remote federated provider and create duplicates, turn off the Rules Engine and remove correlation searches from the remote federated provider. To turn off the Rules Engine on the executor node so it doesn't run locally, follow these steps.

  1. On the Executor node, select Settings then Searches, reports, and alerts.
  2. Change the App: context to All.
  3. Search for the itsi_event_grouping search. The Rules Engine runs when this search is turned on.
  4. In the Actions column, select Edit then Disable to turn off the Rules Engine on the executor node.

Configure correlation searches on the federated search head to query remote indexes

Once federated search is configured, you can create correlation searches.

For example, when you create a correlation search that searches the main index, the scheduled search finds all of the events which are sent to the federated search head's itsi_tracked_alerts as notable events.

Note: Events directly ingested to the remote providers will not be found by the realtime search. Only ingest these events to the federated search head.

Last modified on 16 May, 2024
Overview of correlation searches in ITSI   Generate events with correlation searches in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters