Define a federated provider
The first step to setting up federated search on your local Splunk platform deployment is defining one or more federated providers for that deployment. A federated provider is a remote data source that contains the remote datasets that you want to query on your local deployment with your federated searches.
- Read About federated search to familiarize yourself with federated search concepts and terminology.
- You must have a role with the admin_all_objects capability.
- If you use the Splunk Cloud Platform, the sc_admin role has this capability by default. See Manage Splunk Cloud users and roles in the Splunk Cloud Admin Manual.
- If you use Splunk Enterprise, the admin role has this capability by default. See Define roles on the Splunk platform with capabilities in the Securing the Splunk Platform manual.
- Gather the unique host names of the remote Splunk platform deployments that you want to set up as federated providers. The format of the host name depends on whether your local Splunk platform deployment uses search head clustering. See the following table for the right host name format for your deployment type.
Deployment type Uses search head clustering? Host name format Host name example Splunk Cloud Platform No <stack name>.splunkcloud.com buttercupgames.splunkcloud.com Splunk Cloud Platform Yes <stack name>-shc.splunkcloud.com
or shc-<stack name>.splunkcloud.com
Splunk Enterprise No <deployment name>.splunk.com buttercupgames.splunk.com Splunk Enterprise Yes <deployment name>-shc.splunk.com
or shc-<deployment name>.splunk.com
- You can find the <stack name> or <deployment name> in the URL for the main stack of a Splunk platform deployment.
- When you connect to a Splunk Cloud Platform federated provider that uses search head clustering, in most cases you will connect to the load balancer for the cluster when you use the URLs described above. This means that the load balancer can manage disruptions if individual search heads within the cluster go offline.
- There can be issues with knowledge object management when a remote deployment is behind a load balancer. See When the remote Splunk deployment uses search head clustering.
- Create a service user account on each remote Splunk platform deployment that you want to set up as a federated provider. See Create a federated provider service account.
- In Splunk Web, go to Settings > Federated Search.
- On the Federated Providers tab, click Add Federated Provider.
- Using the following table, specify the settings for your federated provider.
Setting Description Default value Federated Provider Type Determines the federated provider type. Currently, this setting is fixed. You can define only federated providers that are remote Splunk platform deployments. Splunk Federated Provider Name Select a unique name for the federated provider. No default Remote Host Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
You can provide an IP address instead of a host name.
You can provide any legitimate port number. 8089, the standard management port number, works for any federated provider.
If you can't connect to port 8089 on a remote Splunk Cloud Platform deployment, contact your Splunk representative to check that the management port is open on the federated provider.
No default Service Account Username and Service Account Password If you do not already have a service account on the federated provider, create one. A service account is a dedicated user account that allows the federated search head on your local Splunk instance to search datasets on the federated provider.
See Create a federated provider service account.
No default Application Short Name Specify the short name of an app to apply an application context to searches on the federated provider.
- If Local Knowledge Objects is enabled, provide the short name of an app that is installed on the federated search head on your local Splunk deployment.
- If Local Knowledge Objects is disabled, provide the short name of an app that is installed on the remote search head of the federated provider.
If you leave this setting blank, Splunk software applies search, the short name of the Search & Reporting app, to this setting.
See About providing application contexts for federated providers.
search Local Knowledge Objects This switch determines whether the portions of federated searches that are processed on this federated provider use knowledge objects from your federated search head or knowledge objects from the remote search head on this federated provider.
If you enable the Local Knowledge Objects setting for a federated provider, wait a few minutes before you try to run federated searches over that federated provider. This feature relies on knowledge bundle replication between the federated search head and the federated provider, which can take some time to complete. If you try to search data on the federated provider before the bundle replication process completes, you might encounter search errors.
See About knowledge objects in federated searches.
Enabled (uses local knowledge objects).
- Click Save to save the federated provider configuration.
Create a federated provider service account
Before you define a remote Splunk platform deployment as a federated provider, create a service user account on that remote deployment. This service account enables secure communication between the federated search head on your local deployment and the federated provider.
To set up a service account, follow these steps on the remote Splunk platform deployment that you intend to configure as a federated provider. Follow the documentation links for the type of federated provider you are working with: Splunk Cloud Platform or Splunk Enterprise.
|Step||More information||Splunk Cloud Platform documentation||Splunk Enterprise documentation|
|Create a new role||This role will be dedicated to the service account for the federated provider. Do not give it to other users or entities.
As you design this role, implement role-based restrictions that ensure that this service account role can access only the indexes and datasets that should be available for federated searches. It should inherit its baseline capabilities from the User role.
|See Manage Splunk Cloud roles in the Splunk Cloud Admin Manual.||See Create and manage roles with Splunk Web in Securing the Splunk Platform.|
|Create a new user and assign the role to it||This user is the service account for the federated provider. Assign the role you created in the first step to this service account.||See Manage Splunk Cloud users in the Splunk Cloud Admin Manual.||See Create and manage users with Splunk Web in the Securing the Splunk Platform manual.|
|Save a record of the user ID and password for the service account||You need these credentials for the Service Account Username and Service Account Password fields when you configure the remote Splunk platform deployment as a federated provider.|
About providing application contexts for federated providers
The Application Short Name setting on the Add Federated Provider page in Splunk Web provides an application context for the searches you run against remote datasets on the federated provider. Setting an application context for a federated provider serves three purposes.
|Knowledge-object scoping||Provision of an application context ensures that federated searches that use the federated provider are limited to the knowledge objects that are associated with the named application. For example, if a federated provider has the Search & Reporting app as its application context, federated searches you run with it can use or reference only the lookups, aliases, search-time field extractions, and other knowledge objects that are associated with the Search & Reporting app. If you run a search that references a lookup or calculated field that is associated with another application, such as Splunk Enterprise Security or Splunk IT Service Intelligence, it will fail because it can't find those knowledge objects in the Search & Reporting app.|
|Provision of workload management limits||The application context allows administrators of the federated provider to set app-based workload management limits on your federated searches.|
|Logging and auditing||The application context simplifies logging and auditing of the federated provider.|
To find what applications are installed on a specific Splunk platform deployment, in Splunk Web on that deployment, go to Apps > Manage Apps. This takes you to the Apps listing page, where the short names of the installed apps are provided in the Folder name column.
You can create multiple federated provider configurations that use the same remote host name and port but have different application contexts, as long as each federated provider configuration has a unique name. For example, you can use the following three federated provider configurations concurrently even though they all search data on the same remote host:
|Federated provider name||Remote host||Application short name|
Know the knowledge objects that are applied to your federated searches
Because a federated search is spread across multiple Splunk platform deployments, it can potentially apply knowledge objects from all of those deployments to the search. This process can cause problems if you are not intimately aware of the knowledge object sets on each deployment included in your federated search.
For example, let's say you have a federated search that references a lookup configuration named
http_status. You set up your search to return results from datasets on two federated providers, as well as your own local Splunk platform deployment. If each of the three Splunk platform deployments in your federated search has a lookup configuration named
http_status, but each of those lookups references a different CSV lookup table, you might get a mismatched set of lookup fields applied to the results of your search when Local Knowledge Objects is disabled.
In most cases, it is best if your federated searches centralize their knowledge object pools. This is why, when you define federated providers in Splunk Web, the Local Knowledge Objects setting is enabled by default. The setting ensures that federated search processes on the federated provider use only knowledge objects from the federated search head. In other words, if the Local Knowledge Objects setting is enabled for all of the federated providers in your federated search, all of the remote search heads on those federated providers use knowledge objects from your local federated search head when they process the federated search.
When the remote Splunk deployment uses search head clustering
If possible, disable the Local Knowledge Objects setting for federated providers on remote Splunk deployments that use search head clustering. This is especially important if you have set up the load balancer as the federated provider for the search head cluster. As load balancers manage data traffic for their clusters, they can drop knowledge object bundles on different cluster nodes from the cluster nodes on which they run federated searches. This can cause your federated searches to fail.
If your remote deployment uses search head clustering and you must use local knowledge objects for your federated searches, set up each of the search heads in the search head cluster as federated providers, and turn Local Knowledge Objects on for each provider.
After you have defined one or more federated providers, you need to define one or more federated indexes and associate remote datasets from the federated providers to those federated indexes. For more information, see Create a federated index.
Migrate from hybrid search to federated search
Create a federated index
This documentation applies to the following versions of Splunk Cloud™: 8.2.2105, 8.2.2106