Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About federated search

You can run federated searches to search datasets outside of your local Splunk platform deployment. From your local search head, federated search gives you a holistic view of datasets across multiple Splunk platform deployments.

Federated search is topology-agnostic, so it works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any remote Splunk Cloud Platform or Splunk Enterprise deployment.

Do you use hybrid search? See Migrate from hybrid search to federated search.

Components of a typical federated search setup

Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.

Federated search

A search of one or more remote datasets on one or more federated providers.

Local deployment

The Splunk platform deployment from which you run federated searches. The federated search head for your federated search resides on your local deployment.

In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.

Federated search head

A search head residing on your local deployment that initiates federated searches.

Federated provider

A remote Splunk platform deployment. Contains the data that you search with your federated searches.

Before you can run federated searches, you must create federated provider definitions on the local deployment. A federated provider definition serves several purposes:

  • It enables the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account.
  • It determines whether the federated provider runs in standard or transparent mode, which in turn affects how you write and run federated searches.

See About standard and transparent mode.
See Define a federated provider.

Remote search head

A search head on a federated provider.

Federated index

An index you create on your federated search head to run federated searches over standard mode federated providers. Each federated index maps to a specific remote dataset on a standard mode federated provider. Federated indexes do not ingest data or events. They provide a logical mapping to remote datasets. See Create a federated index.

Remote dataset

A dataset on a standard mode federated provider. Currently, only events indexes and saved searches qualify as remote datasets.

How federated search works

The federated search process works similarly to distributed search. On a distributed search, the initial processing of a search is handled by the indexers of a Splunk platform deployment, and then the results are aggregated on the search head for that deployment to produce a final result set.

Federated searches, however, are broken up into parts that are processed on a "local" Splunk platform deployment and parts that are processed on one or more remote deployments. Each of these remote deployments is a federated provider.

For example, say you have a simple federated search that involves only one federated provider. In this case, the federated search process sends the remote portion of the search to the federated provider. On the federated provider, the remote search head and its indexers process the search independently, performing a pre-aggregation of the results. The remote search head then sends the results back to the federated search head on the local deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.

The following diagram illustrates a federated search over a remote deployment. The remote deployment is a standard mode federated provider. The federated provider has an events index dataset that is available for federated searches. On the local deployment, a federated index on the federated search head maps to a remote dataset.

The federated index in this example is there because the federated provider in this example is a standard mode federated provider. Transparent mode federated providers do not require federated indexes.

This diagram illustrates a federated search over a remote deployment. The remote deployment is a standard mode federated provider. The federated provider has an events index dataset that is available for federated searches. On the local deployment, a federated index on the federated search head maps to a remote dataset.

A simple federated search for this setup might look like this:

index=federated:provider1_fedindex1 | stats count

This search references a federated index named provider1_fedindex1. The provider1_fedindex1 federated index maps to the remote dataset stored on Federated Provider 1. The remote search head uses this mapping to send back events from its remote index dataset to the federated search head on your local deployment. The federated search head runs the stats count operation on those events. When this stats count aggregation is complete, the federated search head presents the results without additional processing, as there are no additional datasets involved in the search.

See Run federated searches to learn how to write federated searches.

Kinds of federated searches you can set up

This table lists the four kinds of federated searches that you can set up, and the Splunk Enterprise or Splunk Cloud Platform versions that those types of federated searches require.

Kind of federated search Local deployment Remote deployment
Splunk Enterprise to Splunk Enterprise Splunk Enterprise (version 8.2.0 or higher) Splunk Enterprise (version 8.2.0 or higher)
Splunk Cloud Platform to Splunk Cloud Platform Splunk Cloud Platform (version 8.1.2103 or higher) Splunk Cloud Platform (version 8.1.2103 or higher)
Splunk Enterprise to Splunk Cloud Platform Splunk Enterprise (version 8.2.0 or higher) Splunk Cloud Platform (version 8.2.2104 or higher)
Splunk Cloud Platform to Splunk Enterprise Splunk Cloud Platform (version 8.2.2203 or higher) Splunk Enterprise (version 9.0.0 or higher)

If you have a Splunk Enterprise deployment that is lower than 8.2 and want to run federated searches without upgrading the entire deployment, you can upgrade a single search head in that deployment to 8.2 and run federated searches from that search head.

Splunk Cloud Platform environment and region support

Federated search supports Splunk Cloud Platform deployments in AWS and Google Cloud.

For the conditions and limitations that apply to region support for federated search in AWS and Google Cloud, including search between regions, see the coverage of federated search in the Splunk Cloud Platform Service Description.

About standard and transparent mode

When you define a federated provider, you must decide what mode you want that provider to use. Federated provider modes offer different federated search experiences, and you must select the mode that best fits your needs.

You have two federated provider mode options: standard and transparent.

  • Choose standard mode if you want to restrict data access to specific remote datasets such as indexes, saved searches, or data models. Standard mode is the best fit for federated search users who are not migrating from a hybrid search setup.
  • Choose transparent mode if you use hybrid search and want to migrate to federated search. Transparent mode lets you run your hybrid mode searches without syntax changes.

Federated search does not support setting up a mix of transparent mode and standard mode federated providers for the same local deployment, as this practice can introduce unexpected complications. All of your federated providers should use the same provider mode.

Transparent mode is available in Splunk Cloud Platform version 8.2.2107 and higher and Splunk Enterprise version 9.0.0 and higher. The following table describes the differences between the two modes.

Category Standard mode federated search Transparent mode federated search
Kinds of federated search Applies to the following kinds of federated search:
  • Splunk Cloud Platform to Splunk Cloud Platform
  • Splunk Enterprise to Splunk Enterprise
  • Splunk Cloud Platform to Splunk Enterprise
  • Splunk Enterprise to Splunk Cloud Platform, if you are not migrating to federated search from a hybrid search setup.
Applies to Splunk Enterprise to Splunk Cloud Platform federated search, if you are migrating from a hybrid search setup.
Provider setup Requires:
  • A federated provider definition.
  • A separate federated index definition for each dataset on the federated provider that you want to search. You can designate events indexes and saved searches as searchable datasets.

You can associate a single remote deployment with multiple standard mode federated provider definitions. For example, for one remote deployment you might set up different standard mode federated provider definitions for different application contexts.

Requires federated provider definition only.

You can associate a single remote deployment with only one transparent mode federated provider definition. See Define a federated provider.
User permissions applied to remote portion of search The federated search runs on the federated provider with the permissions of the service account user you define on the federated provider. The federated search runs on the federated provider with the permissions of the user who initiates the search on the local deployment.
Application context of remote portion of search Uses the application context set in the federated provider definition. Uses the application context of the local search.
Knowledge objects applied to remote portions of searches Uses knowledge objects that are defined on the remote search head of the federated provider.
See Custom knowledge object coordination for standard mode federated providers.
Through bundle replication, uses knowledge objects from the federated search head of the local deployment.
Security Control is on the side of the remote federated provider. Access to data on the federated provider is determined by role-based security settings for the service account user on the federated provider.

In addition, access to federated indexes is role-based, which means you can restrict the datasets your users can search on the federated provider.
Control is on the side of the local deployment. Access to data on the federated provider is determined by role-based security settings for the user running the federated search from the local deployment.

To grant this access, the service account user on the federated provider must have a role with the fsh_manage capability.
Which local searches run as federated searches on the federated provider? Only local searches that invoke federated indexes run over remote datasets on federated providers. Searches that do not invoke federated indexes run only on your local deployment. When you connect your local instance to a transparent mode federated provider, all of your local searches run over that federated provider as federated searches, whether or not you intend for them to search remote datasets on that provider. This might reduce the performance of some of your searches.
Special search processing language (SPL) syntax required? Yes No
Can send only specific subsearches to the remote search head? Yes No
Can run entire federated search on the remote search head? Yes No
Provides separate namespace for remote indexes (to avoid name collisions)? Yes No
Can run remote saved searches? Yes No
Can run remote data models? Yes No
SPL limitations Standard mode searches cannot include:
  • Generating commands other than search, from, and tstats.
  • Metrics commands such as mpreview or mstats.
  • Wildcards in references to federated indexes.
Transparent mode searches cannot use from to reference remote saved search datasets, and they cannot use datamodel to search remote data model datasets.
Dataset availability You can search the following dataset types on a federated provider:
  • events indexes
  • saved searches
  • data models
You can search events and metrics indexes on a federated provider.

About federated search and Splunk security and IT products

Federated search does not currently support Splunk Enterprise Security, Splunk IT Service Intelligence, or similar products.

Set up federated search between Splunk platform deployments

Complete the following steps to set up federated search between a local deployment and a remote deployment.

To run federated searches, Splunk Cloud Platform deployments require additional configuration from Splunk Support. This is true whether the Splunk Cloud Platform deployment is on the local or remote side of the federated search. If you are setting up federated search between two Splunk Cloud Platform deployments, you must contact Splunk Support for both deployments.

If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Customer Support.

Number Task For more information see
1 Determine the federated provider mode of the remote deployment. About standard and transparent mode
2 Set up a service account on the remote deployment. Service accounts and federated search security
3 Apply a federated provider definition to the remote deployment. Set the provider mode. Define a federated provider
4 If you have defined a standard mode federated provider, define one or more federated indexes for it. Create a federated index
5 If you have defined a standard mode federated provider and you intend to run federated searches that are dependent on custom knowledge objects, ensure those knowledge objects exist on the remote search head. Custom knowledge object coordination for standard mode federated providers
6 Run federated searches. Run federated searches
Last modified on 26 October, 2022
PREVIOUS
Scheduling searches
  NEXT
Migrate from hybrid search to federated search

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters