Splunk Cloud

Search Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

About federated search

There may be times when you would like to run searches that query datasets outside of the Splunk Cloud Platform deployment that you typically log in to. This is where federated search comes to the rescue. From your local search head, federated search gives you a holistic view of datasets across multiple Splunk Cloud Platform deployments.

Federated search is topology-agnostic. This means that federated search works despite the complexity of the Splunk Cloud Platform deployments involved. You can run a federated search across any sort of remote Splunk Cloud Platform deployment, whether it has a single search head or a search head cluster.

Federated search is currently unavailable for regulated (FedRAMP, PCI, and HIPAA) Splunk Cloud Platform environments.

Components of a typical federated search setup

Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.

Local deployment
The Splunk Cloud Platform deployment from which you perform federated searches. The federated search head for your federated search resides on your local deployment.
In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk Cloud Platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.
Federated provider
A remote Splunk Cloud Platform deployment. Contains the remote datasets–indexes, data models, and saved searches–that you search with your federated searches.
Before you can run a federated search, you must set up federated provider definitions on the local Splunk Cloud Platform deployment. These definitions enable the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account. See Define a federated provider.
Federated search head
A search head residing on the local deployment that initiates federated searches. Contains federated indexes.
Federated index
An index you create on your federated search head for the purpose of running federated searches. Each federated index maps to a specific remote dataset on a federated provider. Federated indexes cannot be targets for data inputs. See Create a federated index.
Remote dataset
A dataset on a federated provider. Currently, only index datasets qualify as remote datasets for federated searches. Each federated index maps to a specific remote dataset.
Remote search head
A search head on a federated provider. A remote search head can be part of a search head cluster, but the federated search head that connects to it will not be aware of the cluster. See When federated providers use search head clustering.
Federated search
A search of one or more remote datasets on one or more federated providers. See Run federated searches.

How federated search works

The federated search process works in a manner similar to that of distributed search, where the initial processing of a search query is handled by the indexers of a Splunk Cloud Platform deployment and then the results are aggregated on the search head for that deployment to produce a final result set.

Federated searches, however, are broken up into parts that are processed locally, and parts that are processed remotely, on one or more federated providers. For example, say you have a simple federated search, where only one federated provider is involved. In this case, the federated search process sends the remote portion of the search to the federated provider, where the initial part of the subsearch is processed independently by the remote search head and its indexers. The results are then sent back to the federated search head on the local Splunk Cloud Platform deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.

The following diagram illustrates a federated search over a remote Splunk Cloud Platform deployment. The remote deployment has been set up as a federated provider. The provider has a remote dataset–an index–that is available for federated searches. On the local Splunk Cloud Platform deployment, a federated index on the federated search head is mapped to the remote datasets. Super Basic Federated Search v1.png

A simple federated search for this setup might look like this:

index=federated:provider1_fedindex1 | stats count

This search references a federated index named provider1_fedindex1. The provider1_fedindex1 federated index is mapped to the remote dataset stored on Federated Provider 1. This means that the remote search head will run the stats count operation for this search specifically on the remote dataset. The remote search head then returns the results to your local search head, which presents them without further aggregation, as there are no additional datasets involved in the search.

See Run federated searches to learn how to write federated searches.

Federated search security

When you run a federated search, the communication between the local Splunk Cloud Platform deployment and any remote Splunk Cloud Platform deployment that you have designated as a federated provider is facilitated by a dedicated service user account that is set up on the federated provider. When you run a federated search that involves that federated provider, the federated provider portion of the search runs in the context of that service account.

You can apply role-based access control filters to a federated provider service account to impose restrictions on the range of data that federated searches can access on a federated provider. For example, you can set up service accounts that have index restrictions, SPL filters, restrictions on search time ranges, and more.

On the local Splunk Cloud Platform deployment, you can also set up role-based index restrictions for the federated indexes that you define.

As a best practice for federated search security, you can set up a role on the local Splunk Cloud Platform deployment that has its index permissions limited strictly to only the local and federated indexes that are necessary for federated searches. Assign this role to users on the local deployment that must run federated searches.

For more information about setting up role-based access control restrictions:

Next steps for running federated searches

You cannot run federated searches until you create federated provider definitions for the remote Splunk Cloud Platform deployments that you intend to search. See Define a federated provider.

After you create your federated provider definitions, you must define federated indexes. Federated indexes live on the federated search head, which in turn resides on the local deployment for the federated search. Each federated index you define is mapped to a specific dataset on a federated provider. See Create a federated index.

For information about constructing and running federated searches, see Run federated searches.

Last modified on 14 May, 2021
PREVIOUS
Scheduling searches
  NEXT
Define a federated provider

This documentation applies to the following versions of Splunk Cloud: 8.1.2103


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters