About federated search
You can run federated searches to search datasets outside of your local Splunk platform deployment. From your local search head, federated search gives you a holistic view of datasets across multiple Splunk platform deployments.
Federated search is topology-agnostic, so it works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any remote Splunk Cloud Platform or Splunk Enterprise deployment.
Components of a typical federated search setup
Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.
A search of one or more remote datasets on one or more federated providers.
The Splunk platform deployment from which you run federated searches. The federated search head for your federated search resides on your local deployment.
In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.
Federated search head
A search head residing on your local deployment that initiates federated searches.
A remote Splunk platform deployment. Contains the data that you search with your federated searches.
Before you can run federated searches, you must create federated provider definitions on the local deployment. A federated provider definition serves several purposes:
- It enables the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account.
- It determines whether the federated provider runs in standard or transparent mode, which in turn affects how you write and run federated searches.
Remote search head
A search head on a federated provider.
An index you create on your federated search head to run federated searches over standard mode federated providers. Each federated index maps to a specific remote dataset on a standard mode federated provider. Federated indexes do not ingest data or events. They provide a logical mapping to remote datasets. See Create a federated index.
A dataset on a standard mode federated provider. Currently, only events indexes, metrics indexes, data models, saved searches, and last jobs run by scheduled searches qualify as remote datasets. See Create a federated index.
How federated search works
The federated search process works similarly to distributed search. On a distributed search, the initial processing of a search is handled by the indexers of a Splunk platform deployment, and then the results are aggregated on the search head for that deployment to produce a final result set.
Federated searches, however, are broken up into parts that are processed on a "local" Splunk platform deployment and parts that are processed on one or more remote deployments. Each of these remote deployments is a federated provider.
For example, say you have a simple federated search that involves only one federated provider. In this case, the federated search process sends the remote portion of the search to the federated provider. On the federated provider, the remote search head and its indexers process the search independently, performing a pre-aggregation of the results. The remote search head then sends the results back to the federated search head on the local deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.
The following diagram illustrates a federated search over a remote deployment. The remote deployment is a standard mode federated provider. The federated provider has an events index dataset that is available for federated searches. On the local deployment, a federated index on the federated search head maps to a remote dataset.
The federated index in this example is there because the federated provider in this example is a standard mode federated provider. Transparent mode federated providers do not require federated indexes.
A simple federated search for this setup might look like this:
index=federated:provider1_fedindex1 | stats count
This search references a federated index named
provider1_fedindex1 federated index maps to the remote dataset stored on Federated Provider 1. The remote search head uses this mapping to send back events from its remote index dataset to the federated search head on your local deployment. The federated search head runs the
stats count operation on those events. When this
stats count aggregation is complete, the federated search head presents the results without additional processing, as there are no additional datasets involved in the search.
See Run federated searches to learn how to write federated searches.
Kinds of federated searches you can set up
This table lists the four kinds of federated searches that you can set up, and the Splunk Enterprise or Splunk Cloud Platform versions that those types of federated searches require.
|Kind of federated search
|Splunk Enterprise to Splunk Enterprise
|Splunk Enterprise (version 8.2.0 or higher)
|Splunk Enterprise (version 8.2.0 or higher)
|Splunk Cloud Platform to Splunk Cloud Platform
|Splunk Cloud Platform (version 8.1.2103 or higher)
|Splunk Cloud Platform (version 8.1.2103 or higher)
|Splunk Enterprise to Splunk Cloud Platform
|Splunk Enterprise (version 8.2.0 or higher)
|Splunk Cloud Platform (version 8.2.2104 or higher)
|Splunk Cloud Platform to Splunk Enterprise
|Splunk Cloud Platform (version 8.2.2203 or higher)
|Splunk Enterprise (version 9.0.0 or higher)
If you have a Splunk Enterprise deployment that is lower than 8.2 and want to run federated searches without upgrading the entire deployment, you can upgrade a single search head in that deployment to 8.2 and run federated searches from that search head.
Splunk Cloud Platform environment and region support
Federated search supports Splunk Cloud Platform deployments in AWS and Google Cloud.
For the conditions and limitations that apply to region support for federated search in AWS and Google Cloud, including search between regions and the support of regulated cloud environments, see the coverage of federated search in the Splunk Cloud Platform Service Description.
About the standard and transparent modes
When you define a federated provider, you must decide what mode you want that provider to use. Federated provider modes offer different federated search experiences, and you must select the mode that best fits your needs.
You have two federated provider mode options: standard and transparent.
- Choose standard mode if you want to restrict data access to specific remote datasets such as indexes, saved searches, last scheduled search jobs, or data models. Standard mode is the best fit for federated search users who are not migrating from a hybrid search setup.
- Choose transparent mode if you use hybrid search and want to migrate to federated search. Transparent mode lets you run your hybrid mode searches without syntax changes.
Federated search does not support setting up a mix of transparent mode and standard mode federated providers for the same local deployment, as this practice can introduce unexpected complications. All of your federated providers should use the same provider mode.
Transparent mode is available in Splunk Cloud Platform version 8.2.2107 and higher and Splunk Enterprise version 9.0.0 and higher. The following table describes the differences between the two modes.
|Standard mode federated search
|Transparent mode federated search
|Kinds of federated search
|Applies to the following kinds of federated search:
|Applies to Splunk Enterprise to Splunk Cloud Platform federated search, if you are migrating from a hybrid search setup.
You can associate a single remote deployment with multiple standard mode federated provider definitions. For example, for one remote deployment you might set up different standard mode federated provider definitions for different application contexts.
|Requires federated provider definition only.
You can associate a single remote deployment with only one transparent mode federated provider definition. See Define a federated provider.
|User permissions applied to remote portion of search
|The federated search runs on the federated provider with the permissions of the service account user you define on the federated provider.
|The federated search runs on the federated provider with the permissions of the user who initiates the search on the local deployment.
|Application context of remote portion of search
|Uses the application context set in the federated provider definition.
|Uses the application context of the local search.
|Knowledge objects applied to remote portions of searches
|Uses knowledge objects that are defined on the remote search head of the federated provider.
See Custom knowledge object coordination for standard mode federated providers.
|Through bundle replication, uses knowledge objects from the federated search head of the local deployment.
|The role-based access control permissions for the service account user on the federated provider determine what your local users can search on the federated provider.
In addition, access to federated indexes is role-based, which allows you to restrict your local users' ability to search remote datasets on the federated provider.
|The role-based access control permissions for your local users determine what your users can search on the federated provider, with the exception of remote indexes, the access to which is governed by the remote federated provider service account.
In addition, to activate transparent mode federated search capabilities for the federated provider, the service account must have the fsh_manage capability.
|Which local searches run as federated searches on the federated provider?
|Only local searches that invoke federated indexes run over remote datasets on federated providers. Searches that do not invoke federated indexes run only on your local deployment.
|When you connect your local instance to a transparent mode federated provider, all of your local searches run over that federated provider as federated searches, whether or not you intend for them to search remote datasets on that provider. This might reduce the performance of searches that you intend to run only over your local deployment.
|Special search processing language (SPL) syntax required?
|Can send only specific subsearches to the remote search head?
|Can run entire federated search on the remote search head?
|Provides separate namespace for remote indexes (to avoid name collisions)?
|Can run remote saved searches?
|Can search unaccelerated data models?
|Yes. In your search, reference a local federated index that maps to a remote data model on the federated provider.
|Yes. In your search, reference a local data model to get data from your local deployment as well as remote data from the federated provider.
|Can search accelerated data models?
|Yes. In your search, reference a local federated index that maps to a remote accelerated data model on the federated provider.
|Yes. When you use transparent mode, accelerated data models on your local search head create data model summaries on your local indexers and on the remote indexers of your federated providers. In your search, reference a local accelerated data model to return both local and remote results.
The ability to run transparent mode federated searches over accelerated data models requires that both your local and remote Splunk platform deployments be at either Splunk Cloud Platform 9.0.2303 or higher, or Splunk Enterprise 9.1.0 or higher.
|Standard mode searches cannot include:
|Transparent mode federated searches have the following SPL limitations:
|You can search the following types of remote datasets on a federated provider:
|You can search events and metrics indexes on a federated provider.
About federated search and Splunk security and IT products
Federated search supports Splunk IT Service Intelligence version 4.16.0 and higher, for transparent mode federated search only. For more information, see New features in Splunk IT Service Intelligence in the ITSI 4.16.0 Release Notes.
Federated search does not currently support Splunk Enterprise Security.
Set up federated search between Splunk platform deployments
Complete the following steps to set up federated search between a local deployment and a remote deployment.
To run federated searches, Splunk Cloud Platform deployments require additional configuration from Splunk Support. This is true whether the Splunk Cloud Platform deployment is on the local or remote side of the federated search. If you are setting up federated search between two Splunk Cloud Platform deployments, you must contact Splunk Support for both deployments.
If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Customer Support.
|For more information see
|Determine the federated provider mode of the remote deployment.
|About standard and transparent mode
|Set up a service account on the remote deployment.
|Service accounts and federated search security
|Apply a federated provider definition to the remote deployment. Set the provider mode.
|Define a federated provider
|If you have defined a standard mode federated provider, define one or more federated indexes for it.
|Create a federated index
|If you have defined a standard mode federated provider and you intend to run federated searches that are dependent on custom knowledge objects, ensure those knowledge objects exist on the remote search head.
|Custom knowledge object coordination for standard mode federated providers
|Run federated searches.
|Run federated searches
Migrate from hybrid search to federated search
This documentation applies to the following versions of Splunk® Enterprise: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0