Create a federated index
After you set up one or more remote Splunk platform deployments to be used as federated providers for your local Splunk platform deployment, you need to define federated indexes for use in federated searches. The Splunk software creates federated indexes on the federated search head of your local Splunk platform deployment. Each federated index you define maps to one remote dataset on a federated provider. Federated indexes are events indexes.
In this step you:
- Provide the name of the federated index.
- Select the federated provider which contains the remote dataset to which the federated index is mapped.
- Specify the remote dataset to which the federated index is mapped.
You can map a federated index to only one remote dataset at a time. If a federated provider contains several remote datasets over which you want to run federated searches, you can define a separate federated index for each dataset.
Federated search does not work with metrics indexes. Federated indexes and the index datasets to which they map are events indexes.
After you define your federated indexes, you can reference them in federated searches. When you reference a federated index in a search, you are saying that you want to search over the remote dataset to which the federated index maps. See Run federated searches.
- Read About federated search to familiarize yourself with federated search concepts and terminology.
- You must have a role with the admin_all_objects and indexes_edit capabilities.
- If you use Splunk Cloud Platform, the sc_admin role has these capabilities by default. See Manage Splunk users and roles in the Splunk Cloud Admin Manual.
- If you use Splunk Enterprise, the admin role has these capabilities by default. See Define roles on the Splunk platform with capabilities in Securing the Splunk Platform.
- You must have already defined one or more federated providers. See Define a federated provider.
- Know the names of the remote datasets to which you want your federated indexes to map. Only events indexes can be set up as remote datasets.
- Go to Settings > Federated Search.
- On the Federated Indexes tab, click Add Federated Index.
- Using the following table, specify the settings for your federated index.
Setting Description Default value Federated Index Name Specify the name of the federated index you intend to create. Each federated index maps to only one remote dataset, so the name should reference that dataset.
Federated index names have the following restrictions:
- They may contain only lowercase letters, numbers, underscores, and hyphens.
- They must begin with a letter or number.
- They cannot be more than 2048 characters in length.
- They cannot contain the string "kvstore".
No default Federated Provider Select the federated provider that contains the dataset to which this federated index will map. The list displays the federated providers that have been defined for this Splunk platform deployment. No default Dataset Specification Specify the Type of remote dataset that this federated index maps to and provide the Object Name for the dataset. Currently, only the Index dataset type is available.
For Object Name you must provide the name of an index that currently exists on the selected federated provider.
The dataset Type defaults to Index.
Object Name has no default.
- Click Save to save the federated index configuration and create the index on the federated search head of your local Splunk platform deployment.
You can view the federated indexes that you have created for your deployment at any time by selecting Settings > Federated Search > Federated Indexes.
Do not designate federated indexes as default indexes for roles or data inputs.
Currently, federated indexes do not appear on the Indexes listing page at Settings > Indexes. This will be corrected in a forthcoming Splunk platform release.
Define a federated provider
Run federated searches
This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7