Splunk Cloud

Search Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Create a federated index

After you set up one or more remote Splunk platform deployments to be used as federated providers for your local Splunk platform deployment, you need to define federated indexes for use in federated searches. The Splunk software creates federated indexes on the federated search head of your local Splunk platform deployment. Each federated index you define maps to one remote dataset on a federated provider. Federated indexes are events indexes.

In this step, you:

  • Provide the name of the federated index.
  • Select the federated provider which contains the remote dataset to which the federated index is mapped.
  • Specify the remote dataset to which the federated index is mapped.

You can map a federated index to only one remote dataset at a time. If a federated provider contains several remote datasets over which you want to run federated searches, you can define a separate federated index for each dataset.

After you define your federated indexes, you can reference them in federated searches. When you reference a federated index in a search, you are saying that you want to search over the remote dataset to which the federated index maps. See Run federated searches.

Specifying remote datasets

When you define a federated index, you map it to a specific remote dataset on a federated provider. Remote datasets can be indexes or saved searches.

Benefits of remote saved search datasets

You can use remote saved search datasets to get around certain limitations of federated searches. For example, federated searches cannot be the following kinds of searches:

  • Searches that use metrics search commands such as mstats to search data in metrics indexes.
  • Searches that use the tstats command to reference data models.
  • Searches that use any generating commands other than search or from.

However, when you define your federated indexes, you can designate these kinds of saved searches as remote datasets. Then you can write federated searches that reference those federated indexes. See Run federated searches.

Remote dataset restrictions

The following kinds of indexes and saved searches cannot be used as remote datasets for federated searches. Do not map federated indexes to them.

  • Metrics indexes
  • Federated indexes
  • Saved searches that contain references to federated indexes

In addition, be aware of the permission settings on saved searches that you want to use as datasets. Such saved searches must either be shared globally, or they must have the same app context as the federated provider that the federated index is associated with.

For example, if you are creating a federated index for a federated provider that is associated with the Search app, any saved search dataset for that index must be shared with the Search app as well, or shared globally.

Prerequisites

Steps

  1. Go to Settings > Federated Search.
  2. On the Federated Indexes tab, click Add Federated Index.
  3. Using the following table, specify the settings for your federated index.
    Setting Description Default value
    Federated Index Name Specify the name of the federated index you intend to create. Each federated index maps to only one remote dataset, so the name should reference that dataset.

    Federated index names have the following restrictions:
    • They may contain only lowercase letters, numbers, underscores, and hyphens.
    • They must begin with a letter or number.
    • They cannot be more than 2048 characters in length.
    • They cannot contain the string "kvstore".
    No default
    Federated Provider Select the federated provider that contains the dataset to which this federated index will map. The list displays the federated providers that have been defined for this Splunk platform deployment. No default
    Dataset Specification Specify the Type of remote dataset that this federated index maps to and provide the Object Name for the dataset.

    Dataset Type options are Index and Saved Search.

    For Object Name, you must provide the name of a dataset of the selected Type that currently exists on the selected federated provider.
    The dataset Type defaults to Index.

    Object Name has no default.
  4. Click Save to save the federated index configuration and create the index on the federated search head of your local Splunk platform deployment.

You can view the federated indexes that you have created for your deployment at any time by selecting Settings > Federated Search > Federated Indexes.

Do not designate federated indexes as default indexes for roles or data inputs.

Currently, federated indexes do not appear on the Indexes listing page at Settings > Indexes. This will be corrected in a forthcoming Splunk platform release.

Last modified on 08 June, 2021
PREVIOUS
Define a federated provider
  NEXT
Run federated searches

This documentation applies to the following versions of Splunk Cloud: 8.2.2104


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters