Splunk® Enterprise

REST API Reference Manual

Federated search endpoint descriptions

Use the federated search REST API endpoints to create, update, and delete definitions for federated providers and federated indexes for Federated Search for Splunk and Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.

See Overview of the federated search options for the Splunk platform in Federated Search.

Usage details

Review ACL information for an endpoint

To check Access Control List (ACL) properties for an endpoint, append /acl to the path. For more information see Access Control List in the REST API User Manual.

Authentication and Authorization

Username and password authentication are required for access to endpoints and REST operations.

Splunk users must have role and/or capability-based authorization to use REST endpoints, and must have the admin_all_objects and edit_indexes capabilities to use the federated search endpoints detailed in this topic.

Users with an administrative role, such as admin, can access authorization information in Splunk Web. To view the roles assigned to a user, select Settings > Access controls > Users. To determine the capabilities assigned to a role, select Settings > Access controls > Roles.

Splunk Cloud Platform URL for REST API access

Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Paid subscribers to the Splunk Cloud Platform service use the following URL to access REST API resources:

https://<deployment-name>.splunkcloud.com:8089

See Access requirements and limitations for the Splunk Cloud Platform REST API in the the REST API Tutorials manual for more information.


data/federated/settings/general

https://<host>:<mPort>/services/data/federated/settings/general

Use this endpoint to review the general settings for your Splunk platform deployment implementation of Federated Search for Splunk and change those settings as necessary. For an overview of Federated Search for Splunk, see About Federated Search for Splunk in Federated Search.

The settings that this endpoint governs do not apply to Federated Search for Amazon S3.

Authentication and authorization
Usage of the GET and POST operations for this endpoint is restricted to roles that have the admin_all_objects capability.

GET

Provides the current general federated search settings for your Splunk platform deployment.

Request parameters
None specific to this method. This method can use pagination and filtering parameters.

Returned values

Name Description
disabled Specifies whether federated search functionality is turned on for your Splunk platform deployment.

If disabled = false, federated search functionality is turned on for your deployment. If disabled = true, federated search functionality is turned off for your deployment.

Defaults to false.

transparent_mode Specifies whether transparent mode federated search functionality is turned on for your Splunk platform deployment.

If set to true, transparent mode is turned on, which means federated search users on your deployment can run federated searches over transparent mode federated providers as well as standard mode federated providers. If set to false, transparent mode is turned off, which means federated search users on your deployment can run federated searches only over standard mode federated providers.

Defaults to true.

controlCommandsFeatureEnabled Specifies whether a federated search head can send a federated search action, such as a search cancellation, to federated providers. Does not support search pause. Defaults to true.
controlCommandsMaxThreads The maximum number of threads that can run a federated search action, such as a search cancellation, from a federated search head, on federated providers. Does not support search pause. Defaults to 5.
controlCommandsMaxTimeThreshold The maximum number of seconds that a federated search head waits for the completion of a federated search action such as a search cancellation. Does not support search pause. Defaults to 5.
heartbeatEnabled Specifies whether the federated search heartbeat mechanism is running. The heartbeat mechanism monitors the remote federated providers. If it detects problems with the federated providers the heartbeat mechanism can tell you what is wrong and take actions. Defaults to true.
max_preview_generation_duration The maximum amount of time, in seconds, that the search head can spend to generate search result previews. When this limit is reached by a federated search, preview preview generation is halted, but the search continues gathering results until it completes and displays the final result set. A setting of 0 means that the preview generation duration of federated searches is unlimited. Defaults to 0.
needs_consent When set to true, needs_consent causes a checkbox to appear in the UI for federated provider definitions and index assignment to roles. This checkbox requires that users acknowledge that federated providers and federated index permissions can be set up in a manner detrimental to regulatory compliance. When set to false, needs_consent hides this checkbox. Defaults to true.
proxyBundlesTTL Specifies the time to live in seconds of a proxy bundle on the remote search head after the last time it was used by a search. Defaults to 172800 seconds, or 2 days.
remoteEventsDownloadRetryCountMax When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the maximum number of event download retries that the federated search head can make before it reports an event download failure. Related to remoteEventsDownloadRetryTimeoutMs. Defaults to 20 event download retries.
remoteEventsDownloadRetryTimeoutMs When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the interval, in milliseconds, between retries of a failed event download from a federated provider. Related to remoteEventsDownloadRetryCountMax. Defaults to 1000.
verbose_mode Specifies whether federated searches can be run in verbose mode. A setting of false restricts the ability of federated searches to run in verbose mode, while allowing federated searches to run in fast or smart mode. In transparent mode, a setting of false means that Splunk software runs only the local portion of a verbose mode federated search. In standard mode, a setting of false terminates verbose mode federated searches without displaying their results. Defaults to true.

Example request and response
Return the general federated search settings for your Splunk platform deployment. The XML response shows an example of returned federated search settings.

XML Request

curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/settings/general

XML response

...
  <entry>
    <title>general</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/settings/general</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="controlCommandsFeatureEnabled">1</s:key>
        <s:key name="controlCommandsMaxThreads">5</s:key>
        <s:key name="controlCommandsMaxTimeThreshold">5</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>controlCommandsFeatureEnabled</s:item>
                <s:item>controlCommandsMaxThreads</s:item>
                <s:item>controlCommandsMaxTimeThreshold</s:item>
                <s:item>heartbeatEnabled</s:item>
                <s:item>needs_consent</s:item>
                <s:item>proxyBundlesTTL</s:item>
                <s:item>verbose_mode</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="max_preview_generation_duration">0<s:key>
        <s:key name="needs_consent">1</s:key>
        <s:key name="proxyBundlesTTL">172800</s:key>
        <s:key name="remoteEventsDownloadRetryCountMax">20</s:key>
        <s:key name="remoteEventsDownloadRetryTimeoutMs">1000</s:key>
        <s:key name="transparent_mode">1</s:key>
      </s:dict>
    </content>
  </entry>

POST

Updates general federated search settings. Can be used to turn federated search functionality on or off for a Splunk platform deployment.

Request parameters

Name Type Description
disabled Boolean When set to false, disabled specifies that federated search functionality is turned on for your Splunk platform deployment. When set to true, disabled specifies that federated search functionality is turned off for your Splunk platform deployment.

Defaults to false.
transparent_mode Boolean When set to true, transparent_mode specifies that transparent mode federated search functionality is turned on for your Splunk platform deployment, which means that federated search users on your deployment can run federated searches over transparent mode federated providers as well as standard mode federated providers.

When set to false, transparent_mode specifies that transparent mode federated search functionality is turned off for your Splunk platform deployment, which means that federated search users on your deployment can run federated searches only over standard mode federated providers.

Defaults to true.
controlCommandsFeatureEnabled Boolean Specifies whether a federated search head can send a federated search action, such as a search cancellation, to federated providers. Does not support search pause. Defaults to true.

Change this setting only when instructed to do so by Splunk Support.
controlCommandsMaxThreads Number The maximum number of threads that can run a federated search action, such as a search cancellation, from a federated search head, on federated providers. Does not support search pause. Defaults to 5.

Change this setting only when instructed to do so by Splunk Support.
controlCommandsMaxTimeThreshold Number The maximum number of seconds that a federated search head waits for the completion of a federated search action such as a search cancellation. Does not support search pause. Defaults to 5.

Change this setting only when instructed to do so by Splunk Support.
heartbeatEnabled Boolean Specifies whether the federated search heartbeat mechanism is running. The heartbeat mechanism monitors the remote federated providers. If it detects problems with the federated providers the heartbeat mechanism can tell you what is wrong and take actions. Defaults to true.

Change this setting only when instructed to do so by Splunk Support.
max_preview_generation_duration Number The maximum amount of time, in seconds, that the search head can spend to generate search result previews. When this limit is reached by a federated search, preview preview generation is halted, but the search continues gathering results until it completes and displays the final result set. A setting of 0 means that the preview generation duration of federated searches is unlimited. Defaults to 0.

Change the value of this setting to a number above zero if you find that your federated searches are terminated because their preview generation duration exceeds a timeout set by another component in your network, such as an elastic load balancer (ELB). For example, if you have an ELB that times out your searches after 60 seconds, set max_preview_generation_duration to 55.
needs_consent Boolean When set to true, needs_consent causes a checkbox to appear in the UI for federated provider definitions and index assignment to roles. This checkbox requires that users acknowledge that federated providers and federated index permissions can be set up in a manner detrimental to regulatory compliance. When set to false, needs_consent hides this checkbox. Defaults to true.

Change this setting only when instructed to do so by Splunk Support.
proxyBundlesTTL Number Specifies the time to live in seconds of a proxy bundle on the remote search head after the last time it was used by a search. Defaults to 172800 seconds, or 2 days.

Change this setting only when instructed to do so by Splunk Support.
remoteEventsDownloadRetryCountMax Number When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the maximum number of event download retries that the federated search head can make before it reports an event download failure. Related to remoteEventsDownloadRetryTimeoutMs. Defaults to 20 event download retries.

Change this setting only when instructed to do so by Splunk Support.
remoteEventsDownloadRetryTimeoutMs Number When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the interval, in milliseconds, between retries of a failed event download from a federated provider. Related to remoteEventsDownloadRetryCountMax. Defaults to 1000.

Change this setting only when instructed to do so by Splunk Support.
verbose_mode Boolean Specifies whether federated searches can be run in verbose mode. A setting of false restricts the ability of federated searches to run in verbose mode, while allowing federated searches to run in fast or smart mode. In transparent mode, a setting of false means that Splunk software runs only the local portion of a verbose mode federated search. In standard mode, a setting of false terminates verbose mode federated searches without displaying their results. Defaults to true.

Change this setting only when instructed to do so by Splunk Support.

Returned values

Name Description
disabled Specifies whether federated search functionality is turned on for your Splunk platform deployment.

If disabled = false, federated search functionality is turned on for your deployment. If disabled = true, federated search functionality is turned off for your deployment.

Defaults to false.

transparent_mode Specifies whether transparent mode federated search functionality is turned on for your Splunk platform deployment.

If set to true, transparent mode is turned on, which means federated search users on your deployment can run federated searches over transparent mode federated providers as well as standard mode federated providers. If set to false, transparent mode is turned off, which means federated search users on your deployment can run federated searches only over standard mode federated providers.

Defaults to true.

controlCommandsFeatureEnabled Specifies whether a federated search head can send a federated search action, such as a search cancellation, to federated providers. Does not support search pause. Defaults to true.
controlCommandsMaxThreads The maximum number of threads that can run a federated search action, such as a search cancellation, from a federated search head, on federated providers. Does not support search pause. Defaults to 5.
controlCommandsMaxTimeThreshold The maximum number of seconds that a federated search head waits for the completion of a federated search action such as a search cancellation. Does not support search pause. Defaults to 5.
heartbeatEnabled Specifies whether the federated search heartbeat mechanism is running. The heartbeat mechanism monitors the remote federated providers. If it detects problems with the federated providers the heartbeat mechanism can tell you what is wrong and take actions. Defaults to true.
max_preview_generation_duration The maximum amount of time, in seconds, that the search head can spend to generate search result previews. When this limit is reached by a federated search, preview preview generation is halted, but the search continues gathering results until it completes and displays the final result set. A setting of 0 means that the preview generation duration of federated searches is unlimited. Defaults to 0.
needs_consent When set to true, needs_consent causes a checkbox to appear in the UI for federated provider definitions and index assignment to roles. This checkbox requires that users acknowledge that federated providers and federated index permissions can be set up in a manner detrimental to regulatory compliance. When set to false, needs_consent hides this checkbox. Defaults to true.
proxyBundlesTTL Specifies the time to live in seconds of a proxy bundle on the remote search head after the last time it was used by a search. Defaults to 172800 seconds, or 2 days.
remoteEventsDownloadRetryCountMax When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the maximum number of event download retries that the federated search head can make before it reports an event download failure. Related to remoteEventsDownloadRetryTimeoutMs. Defaults to 20 event download retries.
remoteEventsDownloadRetryTimeoutMs When you run a verbose-mode federated search, the federated search head downloads events from the federated provider. This setting provides the interval, in milliseconds, between retries of a failed event download from a federated provider. Related to remoteEventsDownloadRetryCountMax. Defaults to 1000.
verbose_mode Specifies whether federated searches can be run in verbose mode. A setting of false restricts the ability of federated searches to run in verbose mode, while allowing federated searches to run in fast or smart mode. In transparent mode, a setting of false means that Splunk software runs only the local portion of a verbose mode federated search. In standard mode, a setting of false terminates verbose mode federated searches without displaying their results. Defaults to true.

Example request and response
Turn off transparent mode federated search for this Splunk platform deployment.

XML Request

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/settings/general -d transparent_mode=false

XML response

...
<entry>
    <title>general</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/settings/general</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="controlCommandsFeatureEnabled">1</s:key>
        <s:key name="controlCommandsMaxThreads">5</s:key>
        <s:key name="controlCommandsMaxTimeThreshold">5</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>controlCommandsFeatureEnabled</s:item>
                <s:item>controlCommandsMaxThreads</s:item>
                <s:item>controlCommandsMaxTimeThreshold</s:item>
                <s:item>heartbeatEnabled</s:item>
                <s:item>needs_consent</s:item>
                <s:item>proxyBundlesTTL</s:item>
                <s:item>verbose_mode</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="max_preview_generation_duration">0<s:key>
        <s:key name="needs_consent">1</s:key>
        <s:key name="proxyBundlesTTL">172800</s:key>
        <s:key name="remoteEventsDownloadRetryCountMax">20</s:key>
        <s:key name="remoteEventsDownloadRetryTimeoutMs">1000</s:key>
        <s:key name="transparent_mode">0</s:key>
      </s:dict>
    </content>
  </entry>

data/federated/provider

https://<host>:<mPort>/services/data/federated/provider

Use this endpoint to get a list of federated providers and post new federated provider definitions. Some of these settings are exclusive to Federated Search for Splunk, while other settings are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.

The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.

For more information about defining federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.

For more information about defining federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.

Authentication and authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.

GET

Returns a list of federated providers.

Request parameters
None specific to this method. This method can use pagination and filtering parameters.

Returned values

Name What providers does this setting apply to? Description
name All providers Specifies the name of the federated provider.
type All providers Specifies the federated provider type. If you have a Splunk Enterprise deployment, you can set type only to splunk, indicating that the provider is for Federated Search for Splunk.

If you have a Splunk Cloud Platform deployment, you can set type to either splunk or aws_s3. A type = aws_s3 setting indicates the provider is for Federated Search for Amazon S3. Defaults to splunk.

mode Applies only to Federated Search for Splunk providers Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.

Defaults to standard.

appContext Applies only to Federated Search for Splunk providers Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
  • If mode = standard for this federated provider, appContext specifies an the folder name of an app that is installed on the remote search head of the federated provider.
  • If mode = transparent for this federated provider, the federated provider ignores the appContext setting when you run federated searches over the provider. Transparent mode federated searches use the application context of the user running the search.

Defaults to search.

aws_account_id Applies only to Federated Search for Amazon S3 providers Specifies a 12-digit Amazon Web Services (AWS) account ID.
aws_glue_tables_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas.
aws_kms_keys_arn_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.
aws_region Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software.
aws_s3_paths_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3.
database Applies only to Federated Search for Amazon S3 providers Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider.
data_catalog Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account.
hostPort Applies only to Federated Search for Splunk providers Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Applies only to Federated Search for Splunk providers Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
useFSHKnowledgeObjects Applies only to Federated Search for Splunk providers Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head.

The federated provider mode determines the required setting for useFSHKnowledgeObjects.

  • When the federated provider has mode=standard, Splunk software always interprets useFSHKnowledgeObjects as being set to 0 or false, which means that the federated search can use a blend of local and remote knowledge objects.
  • When the federated provider has mode=transparent, Splunk software always interprets useFSHKnowledgeObjects as being set to 1 or true, because transparent mode federated searches can use knowledge objects only from the federated search head.
connectivityStatus Applies only to Federated Search for Splunk providers Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
  • When connectivityStatus=valid, this federated provider was able to connect to your local deployment.
  • When connectivityStatus=invalid, this federated provider was unable to connect to your local deployment.
  • When connectivityStatus=unknown, the ability of the federated provider to check this connection has been turned off.

This setting is for diagnostic purposes only and cannot be set or changed by users.

disabled All providers Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches.

Example federated provider request and response
Return a list of all federated providers, regardless of type. The sample XML response returns the details for two Federated Search for Amazon S3 providers and one Federated Search for Splunk provider.

XML request

curl -k -u admin:changeme  -X GET https://localhost:8126/services/data/federated/provider

XML response

...
  <entry>
    <title>provider-test-fss3</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/provider-test-fss3</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">xyz,aaa,abc,cde</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3:/b1/p1*,s3:/b2/*</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">fss3_db</s:key>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>  
<entry>
    <title>test_provider</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider </id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
        <s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">database_1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>
<entry>
    <title>splunk2splunk_provider_1</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/splunk2splunk_provider_1/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="appContext">search</s:key>
        <s:key name="connectivityStatus">invalid</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="hostPort">buttercupgames.splunkcloud.com:8088</s:key>
        <s:key name="mode">standard</s:key>
        <s:key name="serviceAccount">fedsearch-account</s:key>
        <s:key name="type">splunk</s:key>
        <s:key name="useFSHKnowledgeObjects">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

Example Federated Search for Amazon S3 request and response
Return a list of all Federated Search for Amazon S3 federated providers.

XML request

curl -k -u admin:changeme --request -X GET https://localhost:8089/services/data/federated/provider -d type=aws_s3

XML response

...
<entry>
    <title>provider-test-fss3</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/provider-test-fss3</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3" rel="remove"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-test-fss3/enable" rel="enable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">xyz,aaa,abc,cde</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3:/b1/p1*,s3:/b2/*</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">fss3_db</s:key>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>  
<entry>
    <title> aws_s3_provider </title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider </id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
        <s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">database_1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>

POST

Creates a new federated provider definition.

Request parameters

Name What providers does this setting apply to? Type Description
name All providers String Required. Specify a unique name for the federated provider.
type All providers String Required. Set the type of federated provider. Your options for this setting depend on whether you are running your federated searches from a Splunk Enterprise deployment or Splunk Cloud Platform deployment.

If you are running federated searches from a Splunk Enterprise deployment, you can only set type to splunk. A setting of type=splunk means that you are configuring this federated provider to facilitate access to search a Splunk platform deployment. For a federated provider with type=splunk, you must set all settings that are required for Federated Search for Splunk providers.

If you are running federated searches from a Splunk Cloud Platform deployment, you have the option of setting type to either splunk or aws_s3. A setting of type=aws_s3 means that you are configuring this federated provider to facilitate access to datasets in Amazon S3. For a federated provider with type=aws_s3, you must set all settings that are required for Federated Search for Amazon S3 providers.

Defaults to splunk.

mode Applies only to Federated Search for Splunk providers String Required. Specify whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.

Transparent mode is recommended only if you are migrating to federated search from a Splunk Enterprise to Splunk Cloud Platform hybrid search setup.

Federated Search for Splunk does not support setting up a mix of transparent mode and standard mode federated providers for the same local deployment, as this practice can introduce unexpected complications. All of the federated providers for a specific local deployment must use the same provider mode.

Defaults to standard.
appContext Applies only to Federated Search for Splunk providers String Specify an app folder name to apply an application context to federated searches over a standard mode federated provider. The application context determines which set of knowledge objects on the remote search head is applied to the federated searches you run over that provider.
  • If mode = standard, provide the short name of an app that is installed on the remote search head of the federated provider.
  • If mode = transparent, you do not need to set appContext. Transparent mode federated providers ignore the appContext setting and instead apply the application context of the user running the federated search.

See Set the app context for standard mode federated providers in Federated Search.

Defaults to Search.

aws_account_id Applies only to Federated Search for Amazon S3 providers Number Required. Provide the 12-digit ID for the Amazon Web Services (AWS) account that is the data source for your federated provider.
aws_glue_tables_allowlist Applies only to Federated Search for Amazon S3 providers String Required. Provide a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. Each AWS Glue table in the list must have these elements:
  • It must belong to the AWS Glue Data Catalog database that you identify for the database setting.
  • It must reference an Amazon S3 location path that you have listed for the aws_S3_paths_allowlist setting.
aws_kms_keys_arn_allowlist Applies only to Federated Search for Amazon S3 providers String If you use the AWS Key Management Service to apply server-side encryption (SSE-KMS) to the data stored in your Amazon S3 buckets, provide a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.

Federated search for Amazon S3 supports only customer-managed AWS KMS keys. In addition, each KMS key ARN you provide in this field must belong to the AWS account you specify with the aws_account_id setting.

aws_s3_paths_allowlist Applies only to Federated Search for Amazon S3 providers String Required. Provide a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3.
database Applies only to Federated Search for Amazon S3 providers String Required. Provide the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider.
hostPort Applies only to Federated Search for Splunk providers String Required. Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
password Applies only to Federated Search for Splunk providers String Required. Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.

See Service accounts and security for Federated Search for Splunk in Federated Search.
serviceAccount Applies only to Federated Search for Splunk providers String Required. Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.

See Service accounts and security for Federated Search for Splunk in Federated Search.

Returned values

Name What providers does this setting apply to? Description
name All providers Specifies the name of the federated provider.
type All providers Specifies the federated provider type. If you have a Splunk Enterprise deployment, type only be set to splunk, indicating that the provider is for Federated Search for Splunk.

If you have a Splunk Cloud Platform deployment, type can be set either to splunk or aws_s3. A type = aws_s3 setting indicates the provider is for Federated Search for Amazon S3. Defaults to splunk.

mode Applies only to Federated Search for Splunk providers Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.

Defaults to standard.

appContext Applies only to Federated Search for Splunk providers Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
  • If mode = standard for this federated provider, appContext specifies an the folder name of an app that is installed on the remote search head of the federated provider.
  • If mode = transparent for this federated provider, the federated provider ignores the appContext setting when you run federated searches over the provider. Transparent mode federated searches use the application context of the user running the search.

Defaults to search.

aws_account_id Applies only to Federated Search for Amazon S3 providers Specifies a 12-digit Amazon Web Services (AWS) account ID.
aws_glue_tables_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas.
aws_kms_keys_arn_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.
aws_region Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software.
aws_s3_paths_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3.
database Applies only to Federated Search for Amazon S3 providers Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider.
data_catalog Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account. Splunk software provides the value for this setting.
hostPort Applies only to Federated Search for Splunk providers Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Applies only to Federated Search for Splunk providers Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
useFSHKnowledgeObjects Applies only to Federated Search for Splunk providers Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head.

The federated provider mode determines the required setting for useFSHKnowledgeObjects.

  • When the federated provider has mode=standard, Splunk software always interprets useFSHKnowledgeObjects as being set to 0 or false, which means that the federated search can use a blend of local and remote knowledge objects.
  • When the federated provider has mode=transparent, Splunk software always interprets useFSHKnowledgeObjects as being set to 1 or true, because transparent mode federated searches can use knowledge objects only from the federated search head.
connectivityStatus Applies only to Federated Search for Splunk providers Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
  • When connectivityStatus=valid, this federated provider was able to connect to your local deployment.
  • When connectivityStatus=invalid, this federated provider was unable to connect to your local deployment.
  • When connectivityStatus=unknown, the ability of the federated provider to check this connection has been turned off.

This setting is for diagnostic purposes only and cannot be set or changed by users.

disabled All providers Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches.

Example Federated Search for Splunk request and response
Create a new definition for a Federated Search for Splunk federated provider named provider-1.

XML request

curl -k -u admin:changeme -X POST https://localhost:8126/services/data/federated/provider -d name=provider-1 -d type=splunk -d mode=standard -d hostPort=10.225.131.242:8089 -d serviceAccount=admin -d password=Chang3d!

XML response

...
  <entry>
    <title>provider-1</title>
    <id>https://localhost:8126/servicesNS/nobody/system/data/federated/provider/provider-1</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/provider-1" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="appContext">search</s:key>
        <s:key name="connectivityStatus">unknown</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="hostPort">10.225.131.242:8089</s:key>
        <s:key name="mode">standard</s:key>
        <s:key name="serviceAccount">admin</s:key>
        <s:key name="type">splunk</s:key>
        <s:key name="useFSHKnowledgeObjects">0</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

Example Federated Search for Amazon S3 request and response
Create a new definition for a Federated Search for Splunk federated provider named aws_s3_provider.

XML request

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider -d name=aws_s3_provider -d type=aws_s3 -d aws_account_id=123456789012 -d database=database_1 -d aws_s3_paths_allowlist="s3://bucket1,s3://bucket2/folder2/" -d aws_kms_keys_arn_allowlist=arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003 -d aws_glue_tables_allowlist=table_1,table_2

XML response

...
<entry>
    <title>test_provider</title>
 <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
        <s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">database_1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/federated/provider/turnOffProvidersInBatch

https://<host>:<mPort>/services/data/federated/provider/turnOffProvidersInBatch

Use this endpoint to turn off groups of federated providers with one REST API call. This endpoint applies to federated providers for Federated Search for Splunk and Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.

When federated providers are turned off, their federated indexes are unavailable for federated searches.

After you turn off a group of federated providers with this endpoint, individually turn each deactivated federated provider back on with the data/federated/provider/{federated_provider_name}/enable endpoint.

The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.

For more information about defining federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.

For more information about defining federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.

Authentication and authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.

POST

Turns off all federated providers. Can also turn off all federated providers belonging to a specific federated search type.

Request parameters

Name What providers does this setting apply to? Type Description
type All providers String Optional Provide a filter for the federated provider type. Your options for this setting depend on whether you are using Splunk Enterprise or Splunk Cloud Platform.

If you are running federated searches from a Splunk Enterprise deployment, you can only filter on type=splunk. A filter of type=splunk turns off all federated providers for Federated Search for Splunk.

If you are running federated searches from a Splunk Cloud Platform deployment, you have the option of filtering on type=splunk or type=aws_s3. A filter of type=aws_s3 turns off all federated providers for Federated Search for Amazon S3.

No default.

Returned values
None specific to this method.

Example XML requests

Turn off all federated providers, regardless of type.

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider/turnOffProvidersInBatch

Turn off all Federated Search for Splunk federated providers.

curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/turnOffProvidersInBatch -d type=splunk

Turn off all Federated Search for Amazon S3 federated providers.

curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/turnOffProvidersInBatch -d  type=aws_s3

XML response

  <title>federated-provider</title>
  <id>https://localhost:8089/services/data/federated/provider</id>
  <updated>2024-01-12T15:42:21-08:00</updated>
  <generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/provider/_new" rel="create"/>
  <link href="/services/data/federated/provider/_reload" rel="_reload"/>
  <link href="/services/data/federated/provider/_acl" rel="_acl"/>
  <link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
  <link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
  <link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
  <link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
  <link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
  <link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/federated/provider/{federated_provider_name}

https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}

Use this endpoint to:

  • Retrieve a specific federated provider definition.
  • Update a specific federated provider definition.
  • Delete a specific federated provider definition.

Some of the settings you can review and update with these endpoints are exclusive to Federated Search for Splunk, while other settings are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.

The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.

For more information about defining federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.

For more information about defining federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.

Authentication and Authorization
Usage of the POST and DELETE operations for this endpoint is restricted to roles that have the admin_all_objects capability.

GET

Returns a definition of a specific {federated_provider_name}.

Request parameters
None specific to this method.

Returned values

Name What providers does this setting apply to? Description
name All providers Specifies the name of the federated provider.
type All providers Specifies the federated provider type. If you have a Splunk Enterprise deployment, you can set type only to splunk, indicating that the provider is for Federated Search for Splunk.

If you have a Splunk Cloud Platform deployment, you can set type to either splunk or aws_s3. A type = aws_s3 setting indicates the provider is for Federated Search for Amazon S3. Defaults to splunk.

mode Applies only to Federated Search for Splunk providers Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.

Defaults to standard.

appContext Applies only to Federated Search for Splunk providers Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
  • If mode = standard for this federated provider, appContext specifies an the folder name of an app that is installed on the remote search head of the federated provider.
  • If mode = transparent for this federated provider, the federated provider ignores the appContext setting when you run federated searches over the provider. Transparent mode federated searches use the application context of the user running the search.

Defaults to search.

aws_account_id Applies only to Federated Search for Amazon S3 providers Specifies a 12-digit Amazon Web Services (AWS) account ID.
aws_glue_tables_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas.
aws_kms_keys_arn_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.
aws_region Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software.
aws_s3_paths_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3.
database Applies only to Federated Search for Amazon S3 providers Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider.
data_catalog Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account.
hostPort Applies only to Federated Search for Splunk providers Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Applies only to Federated Search for Splunk providers Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
useFSHKnowledgeObjects Applies only to Federated Search for Splunk providers Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head.

The federated provider mode determines the required setting for useFSHKnowledgeObjects.

  • When the federated provider has mode=standard, Splunk software always interprets useFSHKnowledgeObjects as being set to 0 or false, which means that the federated search can use a blend of local and remote knowledge objects.
  • When the federated provider has mode=transparent, Splunk software always interprets useFSHKnowledgeObjects as being set to 1 or true, because transparent mode federated searches can use knowledge objects only from the federated search head.
connectivityStatus Applies only to Federated Search for Splunk providers Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
  • When connectivityStatus=valid, this federated provider was able to connect to your local deployment.
  • When connectivityStatus=invalid, this federated provider was unable to connect to your local deployment.
  • When connectivityStatus=unknown, the ability of the federated provider to check this connection has been turned off.

This setting is for diagnostic purposes only and cannot be set or changed by users.

disabled All providers Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches.

Example Federated Search for Splunk request and response
Return the definition for the my_federated_provider federated provider.

XML Request

curl -k -u admin:changeme -X GET  https://localhost:8089/services/data/federated/provider/my_federated_provider

XML response

...
<entry>
  <title>my_federated_provider</title>
  <id>/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
  <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="appContext">search</s:key>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">system</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">system</s:key>
        </s:dict>
      </s:key>
      <s:key name="eai:attributes">
        <s:dict>
          <s:key name="optionalFields">
            <s:list>
              <s:item>appContext</s:item>
              <s:item>hostPort</s:item>
              <s:item>password</s:item>
              <s:item>serviceAccount</s:item>
              <s:item>type</s:item>
              <s:item>useFSHKnowledgeObjects</s:item>
            </s:list>
          </s:key>
          <s:key name="requiredFields">
            <s:list/>
          </s:key>
          <s:key name="wildcardFields">
            <s:list>
              <s:item>.*</s:item>
            </s:list>
          </s:key>
        </s:dict>
      </s:key>
      <s:key name="hostPort">10.225.131.242:8089</s:key>
      <s:key name="mode">standard</s:key>
      <s:key name="serviceAccount">user1</s:key>
      <s:key name="type">splunk</s:key>
      <s:key name="useFSHKnowledgeObjects">1</s:key>
    </s:dict>
  </content>
</entry>

Example Federated Search for Amazon S3 request and response
Return the definition for the aws_s3_provider federated provider.

XML Request

curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/provider/aws_s3_provider

XML response

...
  <entry>
    <title> aws_s3_provider</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">table_1,table_2</s:key>
        <s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">database_1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>

POST

Updates a definition for a specific {federated_provider_name}.

Request parameters

At least one argument is required.

Name What providers does this setting apply to? Type Description
appContext Applies only to Federated Search for Splunk providers String Specify an app folder name to apply an application context to federated searches over a standard mode federated provider. The application context determines which set of knowledge objects on the remote search head is applied to the federated searches you run over that provider.
  • If mode = standard, provide the short name of an app that is installed on the remote search head of the federated provider.
  • If mode = transparent, you do not need to set appContext. Transparent mode federated providers ignore the appContext setting and instead apply the application context of the user running the federated search.

See Set the app context for standard mode federated providers in Federated Search.

Defaults to Search.

aws_account_id Applies only to Federated Search for Amazon S3 providers Number Required. Provide the 12-digit ID for the Amazon Web Services (AWS) account that is the data source for your federated provider.
aws_glue_tables_allowlist Applies only to Federated Search for Amazon S3 providers String Required. Provide a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas. Each AWS Glue table in the list must have these elements:
  • It must belong to the AWS Glue Data Catalog database that you identify for the database setting.
  • It must reference an Amazon S3 location path that you have listed for the aws_S3_paths_allowlist setting.
aws_kms_keys_arn_allowlist Applies only to Federated Search for Amazon S3 providers String If you use the AWS Key Management Service to apply server-side encryption (SSE-KMS) to the data stored in your Amazon S3 buckets, provide a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.

Federated search for Amazon S3 supports only customer-managed AWS KMS keys. In addition, each KMS key ARN you provide in this field must belong to the AWS account you specify with the aws_account_id setting.

aws_s3_paths_allowlist Applies only to Federated Search for Amazon S3 providers String Required. Provide a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3.
hostPort Applies only to Federated Search for Splunk providers String Required. Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
password Applies only to Federated Search for Splunk providers String Required. Provide the password for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.

See Service accounts and security for Federated Search for Splunk in Federated Search.
serviceAccount Applies only to Federated Search for Splunk providers String Required. Provide the username for a service account that is already set up on the federated provider. This dedicated user account allows the federated search head on your local instance to securely search datasets on the federated provider.

See Service accounts and security for Federated Search for Splunk in Federated Search.

Returned values

Name What providers does this setting apply to? Description
name All providers Specifies the name of the federated provider.
type All providers Specifies the federated provider type. If you have a Splunk Enterprise deployment, you can set type only to splunk, indicating that the provider is for Federated Search for Splunk.

If you have a Splunk Cloud Platform deployment, you can set type to either splunk or aws_s3. A type = aws_s3 setting indicates the provider is for Federated Search for Amazon S3. Defaults to splunk.

mode Applies only to Federated Search for Splunk providers Specifies whether the federated provider runs federated searches in standard or transparent mode. For a detailed comparison of the standard and transparent modes of federated search, see About Federated Search for Splunk in Federated Search.

Defaults to standard.

appContext Applies only to Federated Search for Splunk providers Specifies the Splunk application context for federated searches that are run over standard mode federated providers. The application context ensures that standard mode federated searches using this federated provider are limited to the knowledge objects that are associated with the named application.
  • If mode = standard for this federated provider, appContext specifies an the folder name of an app that is installed on the remote search head of the federated provider.
  • If mode = transparent for this federated provider, the federated provider ignores the appContext setting when you run federated searches over the provider. Transparent mode federated searches use the application context of the user running the search.

Defaults to search.

aws_account_id Applies only to Federated Search for Amazon S3 providers Specifies a 12-digit Amazon Web Services (AWS) account ID.
aws_glue_tables_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of AWS Glue tables from which Federated Search for Amazon S3 can get metadata and data schemas.
aws_kms_keys_arn_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of the Amazon resource names (ARNs) for the AWS KMS keys that encrypt Amazon S3 data.
aws_region Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Web Services (AWS) region of your Splunk Cloud Platform deployment. This setting is determined automatically by Splunk software.
aws_s3_paths_allowlist Applies only to Federated Search for Amazon S3 providers Specifies a comma-separated list of Amazon S3 location paths that you can search with Federated Search for Amazon S3.
database Applies only to Federated Search for Amazon S3 providers Specifies the name of the AWS Glue Data Catalog database that contains the AWS Glue Data Catalog tables for the federated provider.
data_catalog Applies only to Federated Search for Amazon S3 providers Specifies the Amazon Resource Name (ARN) for the AWS Glue Data Catalog. The ARN points to an AWS account. Splunk software provides the value for this setting.
hostPort Applies only to Federated Search for Splunk providers Specifies the protocols required to connect to a federated provider. Usually follows this format <Host_Name>:<Service_Port_Number>. In some cases, an IP address is used instead of a host name.
serviceAccount Applies only to Federated Search for Splunk providers Specifies the user name for a service account that has been set up on the federated provider for the purpose of facilitating secure federated searches.
useFSHKnowledgeObjects Applies only to Federated Search for Splunk providers Specifies whether the remote search head uses its own knowledge objects for federated searches, or if it uses knowledge objects that are bundle-replicated from the federated search head.

The federated provider mode determines the required setting for useFSHKnowledgeObjects.

  • When the federated provider has mode=standard, Splunk software always interprets useFSHKnowledgeObjects as being set to 0 or false, which means that the federated search can use a blend of local and remote knowledge objects.
  • When the federated provider has mode=transparent, Splunk software always interprets useFSHKnowledgeObjects as being set to 1 or true, because transparent mode federated searches can use knowledge objects only from the federated search head.
connectivityStatus Applies only to Federated Search for Splunk providers Specifies whether the federated provider established a connection to your local deployment in its last attempt to do so.
  • When connectivityStatus=valid, this federated provider was able to connect to your local deployment.
  • When connectivityStatus=invalid, this federated provider was unable to connect to your local deployment.
  • When connectivityStatus=unknown, the ability of the federated provider to check this connection has been turned off.

This setting is for diagnostic purposes only and cannot be set or changed by users.

disabled All providers Specifies whether the federated provider is turned on or off. When a federated provider is turned off, the provider cannot return results for federated searches.

Example Federated Search for Splunk request and response

For the federated provider named my_federated_provider, change the serviceAccount setting to eagle01, to match an update to the service account user on that federated provider.

XML request

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider/my_federated_provider -d serviceAccount=eagle01

XML response

  <entry>
    <title>my_federated_provider</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/my_federated_provider</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/my_federated_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="appContext">search</s:key>
       <s:key name="connectivityStatus">valid</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="hostPort">10.224.150.77:58677</s:key>
        <s:key name="mode">standard</s:key>
        <s:key name="serviceAccount">eagle01</s:key>
        <s:key name="type">splunk</s:key>
        <s:key name="useFSHKnowledgeObjects">0</s:key>
      </s:dict>
    </content>
  </entry>

Example Federated Search for Amazon S3 request and response

For the federated provider named aws_s3_provider , change the aws_glue_tables_allowlist setting to table_1,table_2,table3,table4, to include table3 and table4, two new AWS Glue tables that you added to the AWS Glue database.

XML request

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/provider/aws_s3_provider -d aws_glue_tables_allowlist=table_1,table_2,table3,table4

XML response

  <entry>
    <title>test_provider</title>
    <id>https://localhost:8089/servicesNS/nobody/system/data/federated/provider/aws_s3_provider</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/provider/aws_s3_provider" rel="remove"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="aws_account_id">123456789012</s:key>
        <s:key name="aws_glue_tables_allowlist">table3,table4,table_1,table_2</s:key>
        <s:key name="aws_kms_keys_arn_allowlist">arn:aws:kms:us-east-1:123456789012:key/b1e51ce6-210d-49dd-a6a6-7ff950000003</s:key>
        <s:key name="aws_region">us-west-2</s:key>
        <s:key name="aws_s3_paths_allowlist">s3://bucket1,s3://bucket2/folder2/</s:key>
        <s:key name="data_catalog">glue:arn:aws:glue:us-west-2:123456789012:catalog</s:key>
        <s:key name="database">database_1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="type">aws_s3</s:key>
      </s:dict>
    </content>
  </entry>

DELETE

Deletes a definition for a specific {federated_provider_name}.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example Federated Search for Splunk request and response
Delete the [provider://my_federated_provider] stanza from etc/system/local/federated.conf.

XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/provider/my_federated_provider

XML response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>federated-provider</title>
  <id>/services/data/federated/provider</id>
  <updated>2021-04-27T12:47:36-07:00</updated>
  <generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/provider/_new" rel="create"/>
  <link href="/services/data/federated/provider/_reload" rel="_reload"/>
  <link href="/services/data/federated/provider/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

Example Federated Search for Amazon S3 request and response
Delete the [provider://aws_s3_provider] stanza from etc/system/local/federated.conf.

XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/provider/aws_s3_provider

XML Response

  <title>federated-provider</title>
  <id>https://localhost:8089/services/data/federated/provider</id>
  <updated>2024-01-12T16:15:18-08:00</updated>
  <generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/provider/_new" rel="create"/>
  <link href="/services/data/federated/provider/_reload" rel="_reload"/>
  <link href="/services/data/federated/provider/_acl" rel="_acl"/>
  <link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
  <link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
  <link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
  <link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
  <link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
  <link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/federated/provider/{federated_provider_name}/disable

https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}/disable

Use this endpoint to turn a specific federated provider off. When a federated provider is turned off, all federated indexes associated with that provider are not searchable in federated searches. This endpoint applies to federated providers for Federated Search for Splunk and for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.

The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.

For more information about federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.

For more information about federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.

Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.

POST

Turn off a specific federated provider.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example federated search request and response
Turn off a provider named aws_s3_provider.

XML request

curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/provider/aws_s3_provider/disable

XML response

  <entry>
    <title>federated-provider</title>
  <id>https://localhost:8089/services/data/federated/provider</id>
  <updated>2024-01-12T15:42:21-08:00</updated>
  <generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/provider/_new" rel="create"/>
  <link href="/services/data/federated/provider/_reload" rel="_reload"/>
  <link href="/services/data/federated/provider/_acl" rel="_acl"/>
  <link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
  <link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
  <link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
  <link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
  <link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
  <link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/federated/provider/{federated_provider_name}/enable

https://<host>:<mPort>/services/data/federated/provider/{federated_provider_name}/enable

Use this endpoint to turn a federated provider back on after you have turned it off. When a federated provider is turned on, all federated indexes associated with that provider can be searched in federated searches. This endpoint applies to federated providers for Federated Search for Splunk and federated providers for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.

The provider endpoint does not honor user or app context. It always places federated provider stanzas in etc/system/local/federated.conf, no matter which user or app namespace you are currently using.

For more information about federated providers for Federated Search for Splunk, see Define a Splunk platform federated provider in Federated Search.

For more information about federated providers for Federated Search for Amazon S3, see Define an Amazon S3 federated provider in Federated Search.

Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.

POST

Turns a specific federated index on.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example request and response
Turn on a federated provider named aws_s3_provider.

XML request

curl -k -u admin:changeme --request -X POST  https://localhost:8089/services/data/federated/provider/aws_s3_provider/enable

XML response

  <title>federated-provider</title>
  <id>https://localhost:8089/services/data/federated/provider</id>
  <updated>2024-01-12T15:42:21-08:00</updated>
  <generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/provider/_new" rel="create"/>
  <link href="/services/data/federated/provider/_reload" rel="_reload"/>
  <link href="/services/data/federated/provider/_acl" rel="_acl"/>
  <link href="/services/data/federated/provider/generateACSPolicy" rel="generateACSPolicy"/>
  <link href="/services/data/federated/provider/generatePolicy" rel="generatePolicy"/>
  <link href="/services/data/federated/provider/getACSPolicy" rel="getACSPolicy"/>
  <link href="/services/data/federated/provider/getRegion" rel="getRegion"/>
  <link href="/services/data/federated/provider/turnOffProvidersInBatch" rel="turnOffProvidersInBatch"/>
  <link href="/services/data/federated/provider/updateACSPolicy" rel="updateACSPolicy"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/federated/index

https://<host>:<mPort>/services/data/federated/index

Use this endpoint to get a list of federated indexes and post new federated index definitions. Some of these federated index settings are exclusive to Federated Search for Splunk, while others are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.

For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.

For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.

Authentication and authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects and indexes_edit capabilities.

GET

Returns a list of federated indexes.

Request parameters
None specific to this method. This method can use pagination and filtering parameters.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.

The data/indexes endpoint is available only to users of Splunk Enterprise.

Name What kinds of federated indexes does this setting apply to? Description
name All federated indexes Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider All federated indexes Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset All federated indexes Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.


If the federated.provider has type=splunk in its definition on federated.conf, the possible values for <prefix> are index, savedsearch, lastjob, and datamodel.

If the federated.provider has type=aws_s3 in its definition on federated.conf, the <prefix> must be set to aws_glue_table.

federated.timefield Applies only to Federated Search for Amazon S3 federated indexes Specifies the time field that acts like an event timestamp in the AWS Glue table to which this index maps.
federated.timeformat Applies only to Federated Search for Amazon S3 federated indexes Specifies the time format variable or custom time format variable string that matches the federated.timefield.
federated.unixtimefield Applies only to Federated Search for Amazon S3 federated indexes An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.


Insert the federated.unixtimefield into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.
Defaults to _time.

federated.partition.time.fields Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on.
federated.partition.time.formats Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
federated.partition.time.types Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
federated.partition.time.tz Applies only to Federated Search for Amazon S3 federated indexes Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.

Example request and response
Get the complete list of federated indexes. The following XML response provides a sample of one returned Federated Search for Splunk federated index record.

XML Request

curl -k -u admin:changeme -X GET  https://localhost:8126/services/data/federated/index

XML response

...
  <entry>
    <title>federated:remote_index_df_1</title>
    <id>https://localhost:8126/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">index:index_df_1</s:key>
        <s:key name="federated.provider">provider-1</s:key>
      </s:dict>
    </content>
  </entry>

POST

Creates a new federated index definition.

These tables are limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.

The data/indexes endpoint is available only to users of Splunk Enterprise.

Request parameters

Name What kinds of federated indexes does this setting apply to? Type Description
name All federated indexes String Required. Specify a unique name for the federated index, using the syntax federated:<index_name>. Each federated index maps to only one remote dataset on a federated provider, so the name should reference that dataset.

Index names have the following limitations:
  • They may contain only lowercase letters, numbers, underscores, and hyphens.
  • They must begin with a letter or number.
  • They cannot be more than 2048 characters in length.
  • They cannot contain the string "kvstore".
federated.provider All federated indexes String Required. Specify the federated provider that contains the dataset to which this federated index maps.
federated.dataset All federated indexes String Required. Specify the dataset on the federated.provider to which this federated index maps. The dataset is identified by its type and name, using the following syntax: <prefix>:<remote_name>.

If the federated.provider has type=splunk in its definition on federated.conf, the possible values for <prefix> are:

  • index: A name of an events or metrics index on the federated provider. Each remote index is a searchable dataset.
  • savedsearch: A name of a saved search on the federated provider. The result set produced by an ad-hoc run of a saved search is a searchable dataset.
  • lastjob: A name of a saved search on the federated provider that has been configured to run on a schedule. The result set for the last job run for a scheduled search is a searchable dataset.
  • datamodel: A name of a data model on the federated provider. The set of events defined by a data model is a searchable dataset.

If the federated.provider has type=aws_s3 in its definition on federated.conf, the <prefix> must be set to aws_glue_table, and the <remote_name> must be set to the name of an AWS Glue Data Catalog table that is listed in the federated.provider definition in federated.conf. An AWS Glue Data Catalog table contains metadata that represents data in an Amazon S3 data store.

If the <prefix> is undefined, it defaults to index. There is no default value for the <remote_name>.

federated.timefield Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies the name of a time field that acts like an event timestamp in the AWS Glue table to which this index maps. In other words, the name of the field in the AWS Glue table that behaves like _time in the Splunk search processing language. You must provide a federated.timefield if you want to use time-related functions to search your remote Amazon S3 data.
federated.timeformat Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies the time format variable or custom time format variable string that matches the federated.timefield. The time format variable string must be in Splunk strptime() format.


This setting is required if you provide a federated.timefield value.

federated.unixtimefield Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies an alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.


Insert the federated.unixtimefield into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.

The federated.timefield for a federated index cannot have the same value as the federated.unixtimefield for that federated index. In other words, if federated.timefield is set to _time, you must change the value of federated.unixtimefield to a value other than _time.

Defaults to _time.

federated.partition.time.fields Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies a comma-delimited list of time-related fields in your remote data. These fields govern the partitions by which remote data is organized in non-Splunk-platform federated providers (such as Amazon S3 federated providers).


Use this setting in conjunction with federated.partition.time.formats and federated.partition.time.types to identify the hierarchical structure of the data partitions in your remote data. The field list you provide for federated.partition.time.fields must correspond with the list of time formats you provide for federated.partition.time.formats and the list of data types you provide for federated.partition.time.types.

Time field names containing comma characters must be surrounded by double quote characters to prevent Splunk software from breaking such values into multiple values.

Do not set federated.partition.time.fields if the federated provider with which the federated index is associated has type=splunk.

federated.partition.time.formats Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies a comma-delimited list of time format variable strings that correspond to the time fields listed by the federated.partition.time.fields setting. The '%w'; and '%JT' time format variables are not supported by this setting. See Date and time format variables in the Search manual.



Time format variable strings containing comma characters must be surrounded by double-quote characters to prevent Splunk software from breaking such strings into multiple values.

This setting is required if you have defined a list of federated.partition.time.fields. Do not set this setting if federated.partition.time.fields is not set.

federated.partition.time.types Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies a comma-delimited list of data type values that correspond to the time fields listed by the federated.partition.time.fields setting. The supported time field types are string, integer, and date.


This setting is required if you have defined a list of federated.partition.time.fields. Do not set this setting if federated.partition.time.fields is not set.

federated.partition.time.tz Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies the time zone to use for the time fields listed in federated.partition.time.fields. Use only canonical time zone names such as America/Los_Angeles.


Do not set this setting if federated.partition.time.fields is not set. If this setting is not set when federated.partition.time.fields is set, Splunk software uses the per-user time zone, as declared in user-prefs.conf with the tz setting.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.

The data/indexes endpoint is available only to users of Splunk Enterprise.

Name What kinds of federated indexes does this setting apply to? Description
name All federated indexes Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider All federated indexes Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset All federated indexes Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.


If the federated.provider has type=splunk in its definition on federated.conf, the possible values for <prefix> are index, savedsearch, lastjob, and datamodel.
If the federated.provider has type=aws_s3 in its definition on federated.conf, the <prefix> must be set to aws_glue_table.

federated.timefield Applies only to Federated Search for Amazon S3 federated indexes Specifies the time field in the AWS Glue table to which this index maps that acts like an event timestamp.
federated.timeformat Applies only to Federated Search for Amazon S3 federated indexes Specifies the time format variable or custom time format variable string that matches the federated.timefield.
federated.unixtimefield Applies only to Federated Search for Amazon S3 federated indexes An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.


Insert the federated.unixtimefield into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.
Defaults to _time.

federated.partition.time.fields Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on.
federated.partition.time.formats Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
federated.partition.time.types Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
federated.partition.time.tz Applies only to Federated Search for Amazon S3 federated indexes Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.

Example Federated Search for Splunk request and response
Create a new definition for a Federated Search for Splunk federated index named airports-east.

XML Request

curl -k -u admin:changeme -X POST  https://localhost:8089/services/data/federated/index -d name=federated:airports-east -d federated.provider=FenrisAirNYC -d federated.dataset=index:airports-east

XML response

<entry>
  <title>federated:fs-airports-east</title>
  <id>/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east</id>
  <updated>1969-12-31T16:00:00-08:00</updated>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="alternate"/>
  <author>
    <name>nobody</name>
  </author>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="list"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/_reload" rel="_reload"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="edit"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east" rel="remove"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/move" rel="move"/>
  <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aairports-east/disable" rel="disable"/>
  <content type="text/xml">
    <s:dict>
      <s:key name="assureUTF8">0</s:key>
      <s:key name="bucketMerge.maxMergeSizeMB">1000</s:key>
      <s:key name="bucketMerge.maxMergeTimeSpanSecs">7776000</s:key>
      <s:key name="bucketMerge.minMergeSizeMB">750</s:key>
      <s:key name="bucketMerging">0</s:key>
      <s:key name="coldPath.maxDataSizeMB">0</s:key>
      <s:key name="coldToFrozenDir"></s:key>
      <s:key name="coldToFrozenScript"></s:key>
      <s:key name="compressRawdata">1</s:key>
      <s:key name="datatype">event</s:key>
      <s:key name="defaultDatabase">main</s:key>
      <s:key name="disabled">0</s:key>
      <s:key name="eai:acl">
        <s:dict>
          <s:key name="app">search</s:key>
          <s:key name="can_change_perms">1</s:key>
          <s:key name="can_list">1</s:key>
          <s:key name="can_share_app">1</s:key>
          <s:key name="can_share_global">1</s:key>
          <s:key name="can_share_user">0</s:key>
          <s:key name="can_write">1</s:key>
          <s:key name="modifiable">1</s:key>
          <s:key name="owner">nobody</s:key>
          <s:key name="perms">
            <s:dict>
              <s:key name="read">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
              <s:key name="write">
                <s:list>
                  <s:item>*</s:item>
                </s:list>
              </s:key>
            </s:dict>
          </s:key>
          <s:key name="removable">1</s:key>
          <s:key name="sharing">app</s:key>
        </s:dict>
      </s:key>
      <s:key name="enableDataIntegrityControl">0</s:key>
      <s:key name="enableRealtimeSearch">1</s:key>
      <s:key name="enableTsidxReduction">0</s:key>
      <s:key name="federated.dataset">index:airports-east</s:key>
      <s:key name="federated.provider">FenrisAirNYC</s:key>
      <s:key name="frozenTimePeriodInSecs">188697600</s:key>
      <s:key name="homePath.maxDataSizeMB">0</s:key>
      <s:key name="hotBucketStreaming.deleteHotsAfterRestart">0</s:key>
      <s:key name="hotBucketStreaming.extraBucketBuildingCmdlineArgs"></s:key>
      <s:key name="hotBucketStreaming.removeRemoteSlicesOnRoll">0</s:key>
      <s:key name="hotBucketStreaming.reportStatus">0</s:key>
      <s:key name="hotBucketStreaming.sendSlices">0</s:key>
      <s:key name="hotBucketTimeRefreshInterval">60</s:key>
      <s:key name="indexThreads">auto</s:key>
      <s:key name="journalCompression">gzip</s:key>
      <s:key name="maxConcurrentOptimizes">3</s:key>
      <s:key name="maxDataSize">auto</s:key>
      <s:key name="maxHotBuckets">1</s:key>
      <s:key name="maxHotIdleSecs">0</s:key>
      <s:key name="maxHotSpanSecs">7776000</s:key>
      <s:key name="maxMemMB">5</s:key>
      <s:key name="maxTotalDataSizeMB">500000</s:key>
      <s:key name="maxWarmDBCount">300</s:key>
      <s:key name="memPoolMB">auto</s:key>
      <s:key name="metric.compressionBlockSize">1024</s:key>
      <s:key name="metric.enableFloatingPointCompression">1</s:key>
      <s:key name="metric.maxHotBuckets">1</s:key>
      <s:key name="metric.splitByIndexKeys"></s:key>
      <s:key name="metric.stubOutRawdataJournal">1</s:key>
      <s:key name="metric.timestampResolution">s</s:key>
      <s:key name="metric.tsidxTargetSizeMB">1500</s:key>
      <s:key name="minHotIdleSecsBeforeForceRoll">auto</s:key>
      <s:key name="minStreamGroupQueueSize">2000</s:key>
      <s:key name="quarantineFutureSecs">2592000</s:key>
      <s:key name="quarantinePastSecs">77760000</s:key>
      <s:key name="rawChunkSizeBytes">131072</s:key>
      <s:key name="rotatePeriodInSecs">60</s:key>
      <s:key name="serviceInactiveIndexesPeriod">60</s:key>
      <s:key name="serviceMetaPeriod">1</s:key>
      <s:key name="splitByIndexKeys"></s:key>
      <s:key name="streamingTargetTsidxSyncPeriodMsec">5000</s:key>
      <s:key name="suspendHotRollByDeleteQuery">0</s:key>
      <s:key name="sync">0</s:key>
      <s:key name="timePeriodInSecBeforeTsidxReduction">604800</s:key>
      <s:key name="tsidxDedupPostingsListMaxTermsLimit">8388608</s:key>
      <s:key name="tsidxReductionCheckPeriodInSec">600</s:key>
      <s:key name="tsidxTargetSizeMB">1500</s:key>
      <s:key name="tsidxWritingLevel">1</s:key>
      <s:key name="tstatsHomePath">volume:_splunk_summaries/$_index_name/datamodel_summary</s:key>
    </s:dict>
  </content>
</entry>

Example Federated Search for Amazon S3 request and response
Create a new definition for a Federated Search for Amazon S3 federated index named fss3_index.

XML Request

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/index -d name=federated:fss3_index -d federated.provider=my_federated_provider -d federated.dataset=aws_glue_table:table_1 -d federated.timefield=field_1 -d federated.timeformat=%25s

XML Response

<entry>
    <title>federated:fss3_index</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">aws_glue_table:table_1</s:key>
        <s:key name="federated.provider">my_federated_provider</s:key>
        <s:key name="federated.timefield">field_1</s:key>
        <s:key name="federated.timeformat">%s</s:key>
        <s:key name="federated.unixtimefield">_time</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

data/federated/index/{federated_index_name}

https://<host>:<mPort>/services/data/federated/provider/{federated_index_name}

Use this endpoint to:

  • Retrieve a specific federated index definition.
  • Update a specific federated index definition.
  • Delete a specific federated index definition.

Some of these federated index settings are exclusive to Federated Search for Splunk, while others are exclusive to Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform.

For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.

For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.

Authentication and Authorization
Usage of the POST and DELETE operations for this endpoint is restricted to roles that have the admin_all_objects and indexes_edit capabilities.

GET

Returns a definition of a specific {federated_index_name}.

Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.

Request parameters
None specific to this method. This method can use pagination and filtering parameters.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.

The data/indexes endpoint is available only to users of Splunk Enterprise.

Name What kinds of federated indexes does this setting apply to? Description
name All federated indexes Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider All federated indexes Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset All federated indexes Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.


If the federated.provider has type=splunk in its definition on federated.conf, the possible values for <prefix> are index, savedsearch, lastjob, and datamodel.

If the federated.provider has type=aws_s3 in its definition on federated.conf, the <prefix> must be set to aws_glue_table.

federated.timefield Applies only to Federated Search for Amazon S3 federated indexes Specifies the time field that acts like an event timestamp in the AWS Glue table to which this index maps.
federated.timeformat Applies only to Federated Search for Amazon S3 federated indexes Specifies the time format variable or custom time format variable string that matches the federated.timefield.
federated.unixtimefield Applies only to Federated Search for Amazon S3 federated indexes An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.


Insert the federated.unixtimefield into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.
Defaults to _time.

federated.partition.time.fields Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on.
federated.partition.time.formats Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
federated.partition.time.types Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
federated.partition.time.tz Applies only to Federated Search for Amazon S3 federated indexes Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.

Example Federated Search for Splunk request and response
Return the definition for a Federated Search for Splunk federated index named remote_index_df_1.

XML Request

curl -k -u admin:changeme -X GET https://localhost:8126/services/data/federated/index/federated:remote_index_df_1

XML response

<entry>
    <title>federated:remote_index_df_1</title>
    <id>https://localhost:8126/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list/>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">index:index_df_1</s:key>
        <s:key name="federated.provider">provider-1</s:key>
      </s:dict>
    </content>
  </entry>

Example Federated Search for Amazon S3 request and response
Return the definition for a Federated Search for Amazon S3 federated index named fss3_index.

XML Request

curl -k -u admin:changeme -X GET https://localhost:8089/services/data/federated/index/fss3_index

XML response

<entry>
    <title>federated:fss3_index</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">aws_glue_table:table_1</s:key>
        <s:key name="federated.provider">aws_s3_provider</s:key>
        <s:key name="federated.timefield">field_1</s:key>
        <s:key name="federated.timeformat">%s</s:key>
        <s:key name="federated.unixtimefield">_time</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

POST

Updates a definition for a specific {federated_index_name}.

Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.

These tables are limited to settings specific to federated indexes. For descriptions of other index settings, see the entry for data/indexes.

The data/indexes endpoint is available only to users of Splunk Enterprise.

Request parameters

Name What kinds of federated indexes does this setting apply to? Type Description
federated.timefield Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies the name of a time field that acts like an event timestamp in the AWS Glue table to which this index maps. In other words, the name of the field in the AWS Glue table that behaves like _time in the Splunk search processing language. You must provide a federated.timefield if you want to use time-related functions to search your remote Amazon S3 data.
federated.timeformat Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies the time format variable or custom time format variable string that matches the federated.timefield. The time format variable string must be in Splunk strptime() format.


This setting is required if you provide a federated.timefield value.

federated.unixtimefield Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies an alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.


Insert the federated.unixtimefield into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.

The federated.timefield for a federated index cannot have the same value as the federated.unixtimefield for that federated index. In other words, if federated.timefield is set to _time, you must change the value of federated.unixtimefield to a value other than _time.

Defaults to _time.

federated.partition.time.fields Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies a comma-delimited list of time-related fields in your remote data. These fields govern the partitions by which remote data is organized in non-Splunk-platform federated providers (such as Amazon S3 federated providers).


Use this setting in conjunction with federated.partition.time.formats and federated.partition.time.types to identify the hierarchical structure of the data partitions in your remote data. The field list you provide for federated.partition.time.fields must correspond with the list of time formats you provide for federated.partition.time.formats and the list of data types you provide for federated.partition.time.types.

Time field names containing comma characters must be surrounded by double quote characters to prevent Splunk software from breaking such values into multiple values.

Do not set federated.partition.time.fields if the federated provider with which the federated index is associated has type=splunk.

federated.partition.time.formats Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies a comma-delimited list of time format variable strings that correspond to the time fields listed by the federated.partition.time.fields setting. The '%w'; and '%JT' time format variables are not supported by this setting. See Date and time format variables in the Search manual.



Time format variable strings containing comma characters must be surrounded by double-quote characters to prevent Splunk software from breaking such strings into multiple values.

This setting is required if you have defined a list of federated.partition.time.fields. Do not set this setting if federated.partition.time.fields is not set.

federated.partition.time.types Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies a comma-delimited list of data type values that correspond to the time fields listed by the federated.partition.time.fields setting. The supported time field types are string, integer, and date.


This setting is required if you have defined a list of federated.partition.time.fields. Do not set this setting if federated.partition.time.fields is not set.

federated.partition.time.tz Applies only to Federated Search for Amazon S3 federated indexes String Optional. Specifies the time zone to use for the time fields listed in federated.partition.time.fields. Use only canonical time zone names such as America/Los_Angeles.


Do not set this setting if federated.partition.time.fields is not set. If this setting is not set when federated.partition.time.fields is set, Splunk software uses the per-user time zone, as declared in user-prefs.conf with the tz setting.

Returned values
This table is limited to settings specific to federated indexes. For descriptions of other index settings see the entry for data/indexes.

The data/indexes endpoint is available only to users of Splunk Enterprise.

Name What kinds of federated indexes does this setting apply to? Description
name All federated indexes Specifies the name of the federated index. Uses the syntax federated:<index_name>.
federated.provider All federated indexes Specifies the federated provider that contains the dataset to which this federated index maps.
federated.dataset All federated indexes Specifies the remote dataset on the federated.provider to which this federated index maps. Each federated index maps to only one dataset on a federated provider. The dataset is identified by its prefix and name, using the following syntax: <prefix>:<dataset_name>.


If the federated.provider has type=splunk in its definition on federated.conf, the possible values for <prefix> are index, savedsearch, lastjob, and datamodel.
If the federated.provider has type=aws_s3 in its definition on federated.conf, the <prefix> must be set to aws_glue_table.

federated.timefield Applies only to Federated Search for Amazon S3 federated indexes Specifies the time field in the AWS Glue table to which this index maps that acts like an event timestamp.
federated.timeformat Applies only to Federated Search for Amazon S3 federated indexes Specifies the time format variable or custom time format variable string that matches the federated.timefield.
federated.unixtimefield Applies only to Federated Search for Amazon S3 federated indexes An alias for the federated.timefield that Splunk software converts into numeric UNIX time format at search time.


Insert the federated.unixtimefield into federated searches that require numeric UNIX time field values, or when you want to see your time field in numeric UNIX time format in the search results.
Defaults to _time.

federated.partition.time.fields Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time-related fields in the AWS Glue table to which the index is mapped. Each field is a partition key for a partition time field level indicated by its order in the list. The first field is at the first level, the second field is at the second level, and so on.
federated.partition.time.formats Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time format variables or custom time format strings that correspond to the fields in the federated.partition.time.fields list. The first variable corresponds to the first field name, the second variable corresponds to the second field name, and so on.
federated.partition.time.types Applies only to Federated Search for Amazon S3 federated indexes Specifies a comma-delimited list of time field types that correspond to the fields in the federated.partition.time.fields list. Possible values are String, Integer, and Date.
federated.partition.time.tz Applies only to Federated Search for Amazon S3 federated indexes Specifies the timezone that corresponds to the fields in the federated.partition.time.fields list. Possible values are canonical timezone names such as America/Los_Angeles.

Example Federated Search for Splunk request and response
Update the dataset mapping for the Federated Search for Splunk federated:remote_index_df_1 federated index.

XML Request

curl -k -u admin:changeme -X POST https://localhost:8126/services/data/federated/index/federated:remote_index_df_1 -d federated.dataset=index:index_df_1_new

XML response

<entry>
    <title>federated:remote_index_df_1</title>
    <id>https://localhost:8126/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Aremote_index_df_1/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">index:index_df_1_new</s:key>
        <s:key name="federated.provider">provider-1</s:key>
      </s:dict>
    </content>
  </entry>

Example Federated Search for Amazon S3 request and response
Update the federated.timefield for the Federated Search for Amazon S3 fss3_index federated index.

XML Request

curl -k -u admin:changeme -X POST https://localhost:8089/services/data/federated/index/fss3_index -d federated.timefield=field_2

XML response

<entry>
    <title>federated:fss3_index</title>
    <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">aws_glue_table:table_1</s:key>
        <s:key name="federated.provider">test_provider</s:key>
        <s:key name="federated.timefield">field_2</s:key>
        <s:key name="federated.timeformat">%s</s:key>
        <s:key name="federated.unixtimefield">_time</s:key>
      </s:dict>
    </content>
  </entry>
</feed>

DELETE

Deletes a definition for a specific {federated_index_name}.

Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example Federated Search for Splunk request and response
Delete the my_federated_index federated index.

XML Request

curl -k -u admin:changeme -X DELETE https://localhost:8089/services/data/federated/index/federated:my_federated_index

XML response

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>federated-index</title>
  <id>/services/data/federated/index</id>
  <updated>2021-04-27T12:57:06-07:00</updated>
  <generator build="aa7e77c0d232b8ec1a8c12ceeda95e0bfe3c3f1c" version="20210423"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/index/_new" rel="create"/>
  <link href="/services/data/federated/index/_reload" rel="_reload"/>
  <link href="/services/data/federated/index/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

Example Federated Search for Splunk request and response
Delete the fss3_index federated index.

XML Request

curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/federated/index/fss3_index

XML response

<title>federated-index</title>
  <id>https://localhost:8089/services/data/federated/index</id>
  <updated>2024-01-12T16:13:04-08:00</updated>
  <generator build="560faafdef34420e5bda25009961db864cef5986" version="20240110"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/index/_new" rel="create"/>
  <link href="/services/data/federated/index/_reload" rel="_reload"/>
  <link href="/services/data/federated/index/_acl" rel="_acl"/>
  <opensearch:totalResults>0</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
</feed>

data/federated/index/{federated_index_name}/disable

https://<host>:<mPort>/services/data/federated/index/{federated_index_name}/disable

Use this endpoint to turn a specific federated index off. When a federated index is turned off, that federated index is not searchable in federated searches. This endpoint applies to federated indexes for Federated Search for Splunk and for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.

For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.

For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.

Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.

POST

Turn off a specific federated index.

Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example federated search request and response
Turn off a Federated Search for Amazon S3 index named fss3_index.

XML request

curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/index/fss3_index/disable

XML response

  <entry>
<title>federated:fss3_index</title> <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">1</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">aws_glue_table:table_1</s:key>
        <s:key name="federated.provider">test_provider</s:key>
        <s:key name="federated.timefield">field_1</s:key>
        <s:key name="federated.timeformat">%s</s:key>
        <s:key name="federated.unixtimefield">_time</s:key>
      </s:dict>
    </content>
  </entry>

data/federated/index/{federated_index_name}/enable

https://<host>:<mPort>/services/data/federated/index/{federated_index_name}/enable

Use this endpoint to turn a federated index back on after you have turned it off. When a federated index is turned on, it can be searched in federated searches. This endpoint applies to federated indexes for Federated Search for Splunk and federated indexes for Federated Search for Amazon S3. Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments.

For more information about defining federated indexes for Federated Search for Splunk, see Map a federated index to a remote Splunk dataset in Federated Search.

For more information about defining federated indexes for Federated Search for Amazon S3, see Map a federated index to an AWS Glue Data Catalog table dataset in Federated Search.

Authentication and Authorization
Usage of the POST operation for this endpoint is restricted to roles that have the admin_all_objects capability.

POST

Turns a specific federated index on.

Use federated:{federated_index_name} for a Federated Search for Splunk federated index. For a Federated Search for Amazon S3 federated index, use {federated_index_name}.

Request parameters
None specific to this method.

Returned values
None specific to this method.

Example request and response
Turn on a Federated Search for Amazon S3 federated index named fss3_index.

XML request

curl -k -u admin:changeme --request -X POST https://localhost:8089/services/data/federated/index/fss3_index/enable

XML response

    <entry>
    <title>federated:fss3_index</title> <id>https://localhost:8089/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="list"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="edit"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index" rel="remove"/>
    <link href="/servicesNS/nobody/search/data/federated/index/federated%3Afss3_index/move" rel="move"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">app</s:key>
          </s:dict>
        </s:key>
        <s:key name="federated.dataset">aws_glue_table:table_1</s:key>
        <s:key name="federated.provider">test_provider</s:key>
        <s:key name="federated.timefield">field_1</s:key>
        <s:key name="federated.timeformat">%s</s:key>
        <s:key name="federated.unixtimefield">_time</s:key>
      </s:dict>
    </content>
  </entry>

Last modified on 27 August, 2024
Deployment endpoint descriptions   Input endpoint descriptions

This documentation applies to the following versions of Splunk® Enterprise: 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters