About federated search
You can run federated searches to search datasets outside of your local Splunk deployment. From your local search head, federated search gives you a holistic view of datasets across multiple Splunk platform deployments.
Federated search is topology-agnostic, so it works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any remote Splunk Cloud Platform or Splunk Enterprise deployment, whether it has a single search head or a search head cluster.
Federated search is currently unavailable for regulated (FedRAMP, PCI, and HIPAA) Splunk Cloud Platform environments.
Components of a typical federated search setup
Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.
A search of one or more remote datasets on one or more federated providers.
The Splunk platform deployment from which you perform federated searches. The federated search head for your federated search resides on your local deployment.
In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.
A remote Splunk platform deployment. Contains the remote datasets that you search with your federated searches, such as indexes and saved searches.
Before you can run a federated search, you must set up federated provider definitions on the local Splunk platform deployment. These definitions enable the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account. See Define a federated provider.
Federated search head
A search head residing on the local deployment that initiates federated searches. Contains federated indexes.
An index you create on your federated search head to run federated searches. Each federated index maps to a specific remote dataset on a federated provider. Federated indexes can't be targets for data inputs. See Create a federated index.
A dataset on a federated provider. Currently, only indexes and saved searches qualify as remote datasets.
Remote search head
A search head on a federated provider. A remote search head can be part of a search head cluster, but the federated search head that connects to it won't be aware of the cluster. See When federated providers use search head clustering.
How federated search works
The federated search process works similarly to distributed search. The initial processing of a search is handled by the indexers of a Splunk platform deployment, and hen the results are aggregated on the search head for that deployment to produce a final result set.
Federated searches, however, are broken up into parts that are processed locally and parts that are processed remotely. The remote processing takes place on one or more federated providers.
For example, say you have a simple federated search that involves only one federated provider. In this case, the federated search process sends the remote portion of the search to the federated provider, where the initial part of the subsearch is processed independently by the remote search head and its indexers. The remote search head then sends the results back to the federated search head on the local Splunk platform deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.
The following diagram illustrates a federated search over a remote Splunk platform deployment. The remote deployment is set up as a federated provider. The provider has an index dataset that is available for federated searches. On the local Splunk platform deployment, a federated index on the federated search head is mapped to the remote datasets.
A simple federated search for this setup might look like this:
index=federated:provider1_fedindex1 | stats count
This search references a federated index named
provider1_fedindex1 federated index is mapped to the remote dataset stored on Federated Provider 1. The remote search head uses this mapping to send the events in the remote index to the federated search head on your local deployment. The federated search head runs the
stats count operation on those events. When this
stats count aggregation is complete, the federated search head presents the results without additional processing, as there are no additional datasets involved in the search.
See Run federated searches to learn how to write federated searches.
Supported federated search configurations
The types of federated search configurations you can run depends on the type of Splunk platform deployment you are running locally.
|Type of the local Splunk platform deployment||Splunk platform deployment types you can set up as federated providers|
|Splunk Cloud Platform (version 8.1.2012 or higher)||Splunk Cloud Platform (version 8.1.2012 or higher)|
|Splunk Enterprise (version 8.2.0 or higher)||Splunk Cloud Platform (version 8.2.2104 or higher)|
Splunk Enterprise (version 8.2.0 or higher)
If your local deployment is on Splunk Cloud Platform, you can run federated searches over other Splunk Cloud Platform deployments. If your local deployment is on Splunk Enterprise, you can run federated searches over remote Splunk Cloud Platform deployments and remote Splunk Enterprise deployments.
If you have a Splunk Enterprise deployment that is lower than 8.2 and want to run federated searches without upgrading the entire deployment, you can upgrade a single search head in that deployment to 8.2 and run federated searches from that search head.
Currently federated search for Splunk Enterprise is limited to Splunk Enterprise deployments that have been built over the Linux operating system. This restriction does not affect Splunk Cloud Platform deployments.
Federated search security
When you run a federated search, the communication between the local Splunk platform deployment and any remote Splunk platform deployment that you designate as a federated provider is facilitated by a dedicated service user account. This account is set up on the federated provider. When you run a federated search that involves that federated provider, the federated provider portion of the search runs in the context of that service account.
You can apply role-based access control filters to a federated provider service account to restrict the range of data that federated searches can access on a federated provider. For example, you can set up service accounts that have index restrictions, SPL filters, restrictions on search time ranges, and more. If you set up federated indexes that search saved search datasets, you can also limit access to those searches by adjusting their permissions.
On the local Splunk platform deployment, you can also set up role-based index restrictions for the federated indexes that you define.
As a best practice for federated search security, you can set up a role on the local Splunk platform deployment that strictly limits its index permissions to only the local and federated indexes that are necessary for federated searches. Assign this role to users on the local deployment that must run federated searches.
See the following topics for more information about setting up role-based access control restrictions:
- To set up restrictions for roles on a Splunk Cloud Platform deployment, see Manage Splunk Cloud users and roles in the Splunk Cloud Admin Manual.
- To set up restrictions for roles on a Splunk Enterprise deployment, see Create and manage roles with Splunk Web in the Securing the Splunk Platform manual.
Running federated searches
To run a federated search you must first create federated provider definitions for the remote Splunk platform deployments that you intend to search. See Define a federated provider.
After you create your federated provider definitions, you must define federated indexes. Federated indexes live on the federated search head, which in turn resides on the local deployment for the federated search. Each federated index you define is mapped to a specific dataset on a federated provider. See Create a federated index.
For information about constructing and running federated searches, see Run federated searches.
Migrate from hybrid search to federated search
This documentation applies to the following versions of Splunk Cloud™: 8.2.2105, 8.2.2106