About federated search
There may be times when you would like to run searches that query datasets outside of the Splunk platform deployment that you typically log in to. This is where federated search comes to the rescue. From your local search head, federated search gives you a holistic view of datasets across multiple geographically distributed Splunk platform deployments.
Federated search is topology-agnostic. This means that federated search works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any sort of remote Splunk Cloud Platform or Splunk Enterprise deployment, whether it has a single search head or a search head cluster.
Federated search is currently unavailable for regulated (FedRAMP, PCI, and HIPAA) Splunk Cloud Platform environments.
Components of a typical federated search setup
Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.
- Local deployment
- The Splunk platform deployment from which you perform federated searches. The federated search head for your federated search resides on your local deployment.
- In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.
- Federated provider
- A remote Splunk platform deployment. Contains the remote datasets–indexes, data models, and saved searches–that you search with your federated searches.
- Before you can run a federated search, you must set up federated provider definitions on the local Splunk platform deployment. These definitions enable the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account. See Define a federated provider.
- Federated search head
- A search head residing on the local deployment that initiates federated searches. Contains federated indexes.
- Federated index
- An index you create on your federated search head for the purpose of running federated searches. Each federated index maps to a specific remote dataset on a federated provider. Federated indexes cannot be targets for data inputs. See Create a federated index.
- Remote dataset
- A dataset on a federated provider. Currently, only index datasets qualify as remote datasets for federated searches. Each federated index maps to a specific remote dataset.
- Remote search head
- A search head on a federated provider. A remote search head can be part of a search head cluster, but the federated search head that connects to it will not be aware of the cluster. See When federated providers use search head clustering.
- Federated search
- A search of one or more remote datasets on one or more federated providers. See Run federated searches.
How federated search works
The federated search process works in a manner similar to that of distributed search, where the initial processing of a search query is handled by the indexers of a Splunk platform deployment and then the results are aggregated on the search head for that deployment to produce a final result set.
Federated searches, however, are broken up into parts that are processed locally, and parts that are processed remotely, on one or more federated providers. For example, say you have a simple federated search, where only one federated provider is involved. In this case, the federated search process sends the remote portion of the search to the federated provider, where the initial part of the subsearch is processed independently by the remote search head and its indexers. The results are then sent back to the federated search head on the local Splunk platform deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.
The following diagram illustrates a federated search over a remote Splunk platform deployment. The remote deployment has been set up as a federated provider. The provider has a remote dataset–an index–that is available for federated searches. On the local Splunk platform deployment, a federated index on the federated search head is mapped to the remote datasets.
A simple federated search for this setup might look like this:
index=federated:provider1_fedindex1 | stats count
This search references a federated index named
provider1_fedindex1 federated index is mapped to the remote dataset stored on Federated Provider 1. This means that the remote search head will run the
stats count operation for this search specifically on the remote dataset. The remote search head then returns the results to your local search head, which presents them without further aggregation, as there are no additional datasets involved in the search.
See Run federated searches to learn how to write federated searches.
Federated search configurations supported in this release
The types of federated search configurations you can run depends on the type of Splunk platform deployment you are running locally.
|Type of the local Splunk platform deployment||Splunk platform deployment types you can set up as federated providers|
|Splunk Cloud Platform (version 8.1.2012 or higher)||Splunk Cloud Platform (version 8.1.2012 or higher)|
|Splunk Enterprise (version 8.2.0 or higher)||Splunk Cloud Platform (version 8.2.2104 or higher)|
Splunk Enterprise (version 8.2.0 or higher)
In other words, if your local deployment is on Splunk Cloud Platform, you can run federated searches over other Splunk Cloud Platform deployments. And if your local deployment is on Splunk Enterprise, you can run federated searches over remote Splunk Cloud Platform deployments and remote Splunk Enterprise deployments.
If you have a Splunk Enterprise deployment that is lower than 8.2 and want to run federated searches without upgrading the entire deployment, you can upgrade a single search head in that deployment to 8.2 and run federated searches from that search head.
Currently, federated search for Splunk Enterprise is limited to Splunk Enterprise deployments that have been built over the Linux operating system. This restriction will be removed in future versions of Splunk Enterprise. This restriction does not affect Splunk Cloud Platform deployments.
Federated search security
When you run a federated search, the communication between the local Splunk platform deployment and any remote Splunk platform deployment that you have designated as a federated provider is facilitated by a dedicated service user account that is set up on the federated provider. When you run a federated search that involves that federated provider, the federated provider portion of the search runs in the context of that service account.
You can apply role-based access control filters to a federated provider service account to impose restrictions on the range of data that federated searches can access on a federated provider. For example, you can set up service accounts that have index restrictions, SPL filters, restrictions on search time ranges, and more.
On the local Splunk platform deployment, you can also set up role-based index restrictions for the federated indexes that you define.
As a best practice for federated search security, you can set up a role on the local Splunk platform deployment that has its index permissions limited strictly to only the local and federated indexes that are necessary for federated searches. Assign this role to users on the local deployment that must run federated searches.
For the purposes of federated search, communication between local and remote Splunk platform search heads is facilitated by an internal REST API endpoint on port 8089, using HTTPS with TLS 1.2 encryption. Federated search does not allow usage of HTTP proxies.
For more information about setting up role-based access control restrictions:
- To set up restrictions for roles on a Splunk Cloud Platform deployment, see Manage Splunk users and roles in the Splunk Cloud Admin Manual.
- To set up restrictions for roles on a Splunk Enterprise deployment, see Create and manage roles with Splunk Web in Securing the Splunk Platform.
Next steps for running federated searches
You cannot run federated searches until you create federated provider definitions for the remote Splunk platform deployments that you intend to search. See Define a federated provider.
After you create your federated provider definitions, you must define federated indexes. Federated indexes live on the federated search head, which in turn resides on the local deployment for the federated search. Each federated index you define is mapped to a specific dataset on a federated provider. See Create a federated index.
For information about constructing and running federated searches, see Run federated searches.
Define a federated provider
This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7