Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About federated search

There may be times when you would like to run searches that query datasets outside of the Splunk platform deployment that you typically log in to. This is where federated search comes to the rescue. From your local search head, federated search gives you a holistic view of datasets across multiple geographically distributed Splunk platform deployments.

Federated search is topology-agnostic. This means that federated search works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any sort of remote Splunk Cloud Platform or Splunk Enterprise deployment, whether it has a single search head or a search head cluster.

Federated search is currently unavailable for regulated (FedRAMP, PCI, and HIPAA) Splunk Cloud Platform environments.

Components of a typical federated search setup

Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.

Local deployment
The Splunk platform deployment from which you perform federated searches. The federated search head for your federated search resides on your local deployment.
In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.
Federated provider
A remote Splunk platform deployment. Contains the remote datasets–indexes, data models, and saved searches–that you search with your federated searches.
Before you can run a federated search, you must set up federated provider definitions on the local Splunk platform deployment. These definitions enable the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account. See Define a federated provider.
Federated search head
A search head residing on the local deployment that initiates federated searches. Contains federated indexes.
Federated index
An index you create on your federated search head for the purpose of running federated searches. Each federated index maps to a specific remote dataset on a federated provider. Federated indexes cannot be targets for data inputs. See Create a federated index.
Remote dataset
A dataset on a federated provider. Currently, only index datasets qualify as remote datasets for federated searches. Each federated index maps to a specific remote dataset.
Remote search head
A search head on a federated provider. A remote search head can be part of a search head cluster, but the federated search head that connects to it will not be aware of the cluster. See When federated providers use search head clustering.
Federated search
A search of one or more remote datasets on one or more federated providers. See Run federated searches.

How federated search works

The federated search process works in a manner similar to that of distributed search, where the initial processing of a search query is handled by the indexers of a Splunk platform deployment and then the results are aggregated on the search head for that deployment to produce a final result set.

Federated searches, however, are broken up into parts that are processed locally, and parts that are processed remotely, on one or more federated providers. For example, say you have a simple federated search, where only one federated provider is involved. In this case, the federated search process sends the remote portion of the search to the federated provider, where the initial part of the subsearch is processed independently by the remote search head and its indexers. The results are then sent back to the federated search head on the local Splunk platform deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.

The following diagram illustrates a federated search over a remote Splunk platform deployment. The remote deployment has been set up as a federated provider. The provider has a remote dataset–an index–that is available for federated searches. On the local Splunk platform deployment, a federated index on the federated search head is mapped to the remote datasets. Super Basic Federated Search v1.png

A simple federated search for this setup might look like this:

index=federated:provider1_fedindex1 | stats count

This search references a federated index named provider1_fedindex1. The provider1_fedindex1 federated index is mapped to the remote dataset stored on Federated Provider 1. This means that the remote search head will run the stats count operation for this search specifically on the remote dataset. The remote search head then returns the results to your local search head, which presents them without further aggregation, as there are no additional datasets involved in the search.

See Run federated searches to learn how to write federated searches.

Federated search configurations supported in this release

The types of federated search configurations you can run depends on the type of Splunk platform deployment you are running locally.

Type of the local Splunk platform deployment Splunk platform deployment types you can set up as federated providers
Splunk Cloud Platform (version 8.1.2012 or higher) Splunk Cloud Platform (version 8.1.2012 or higher)
Splunk Enterprise (version 8.2.0 or higher) Splunk Cloud Platform (version 8.2.2104 or higher)

Splunk Enterprise (version 8.2.0 or higher)

In other words, if your local deployment is on Splunk Cloud Platform, you can run federated searches over other Splunk Cloud Platform deployments. And if your local deployment is on Splunk Enterprise, you can run federated searches over remote Splunk Cloud Platform deployments and remote Splunk Enterprise deployments.

If you have a Splunk Enterprise deployment that is lower than 8.2 and want to run federated searches without upgrading the entire deployment, you can upgrade a single search head in that deployment to 8.2 and run federated searches from that search head.

Currently, federated search for Splunk Enterprise is limited to Splunk Enterprise deployments that have been built over the Linux operating system. This restriction will be removed in future versions of Splunk Enterprise. This restriction does not affect Splunk Cloud Platform deployments.

Federated search security

When you run a federated search, the communication between the local Splunk platform deployment and any remote Splunk platform deployment that you have designated as a federated provider is facilitated by a dedicated service user account that is set up on the federated provider. When you run a federated search that involves that federated provider, the federated provider portion of the search runs in the context of that service account.

You can apply role-based access control filters to a federated provider service account to impose restrictions on the range of data that federated searches can access on a federated provider. For example, you can set up service accounts that have index restrictions, SPL filters, restrictions on search time ranges, and more.

On the local Splunk platform deployment, you can also set up role-based index restrictions for the federated indexes that you define.

As a best practice for federated search security, you can set up a role on the local Splunk platform deployment that has its index permissions limited strictly to only the local and federated indexes that are necessary for federated searches. Assign this role to users on the local deployment that must run federated searches.

For more information about setting up role-based access control restrictions:

Next steps for running federated searches

You cannot run federated searches until you create federated provider definitions for the remote Splunk platform deployments that you intend to search. See Define a federated provider.

After you create your federated provider definitions, you must define federated indexes. Federated indexes live on the federated search head, which in turn resides on the local deployment for the federated search. Each federated index you define is mapped to a specific dataset on a federated provider. See Create a federated index.

For information about constructing and running federated searches, see Run federated searches.

Last modified on 16 June, 2021
PREVIOUS
Scheduling searches
  NEXT
Migrate from hybrid search to federated search

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters