Splunk Cloud Platform

Search Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

About federated search

You can run federated searches to search datasets outside of your local Splunk deployment. From your local search head, federated search gives you a holistic view of datasets across multiple Splunk platform deployments.

Federated search is topology-agnostic, so it works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any remote Splunk Cloud Platform or Splunk Enterprise deployment, whether it has a single search head or a search head cluster.

Federated search is currently unavailable for regulated (FedRAMP, PCI, and HIPAA) Splunk Cloud Platform environments.

Do you use hybrid search? See Migrate from hybrid search to federated search.

Components of a typical federated search setup

Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.

Federated search

A search of one or more remote datasets on one or more federated providers.

Local deployment

The Splunk platform deployment from which you perform federated searches. The federated search head for your federated search resides on your local deployment.

In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.

Federated provider

A remote Splunk platform deployment. Contains the remote datasets that you search with your federated searches, such as indexes and saved searches.

Before you can run a federated search, you must set up federated provider definitions on the local Splunk platform deployment. These definitions enable the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account. See Define a federated provider.

Federated search head

A search head residing on the local deployment that initiates federated searches. Contains federated indexes.

Federated index

An index you create on your federated search head to run federated searches. Each federated index maps to a specific remote dataset on a federated provider. Federated indexes can't be targets for data inputs. See Create a federated index.

Remote dataset

A dataset on a federated provider. Currently, only indexes and saved searches qualify as remote datasets.

Remote search head

A search head on a federated provider. A remote search head can be part of a search head cluster, but the federated search head that connects to it won't be aware of the cluster. See When federated providers use search head clustering.

How federated search works

The federated search process works similarly to distributed search. The initial processing of a search is handled by the indexers of a Splunk platform deployment, and then the results are aggregated on the search head for that deployment to produce a final result set.

Federated searches, however, are broken up into parts that are processed locally and parts that are processed remotely. The remote processing takes place on one or more federated providers.

For example, say you have a simple federated search that involves only one federated provider. In this case, the federated search process sends the remote portion of the search to the federated provider, where the initial part of the subsearch is processed independently by the remote search head and its indexers. The remote search head then sends the results back to the federated search head on the local Splunk platform deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.

The following diagram illustrates a federated search over a remote Splunk platform deployment. The remote deployment is set up as a federated provider. The provider has an index dataset that is available for federated searches. On the local Splunk platform deployment, a federated index on the federated search head is mapped to the remote datasets. Super Basic Federated Search - before modes.png

A simple federated search for this setup might look like this:

index=federated:provider1_fedindex1 | stats count

This search references a federated index named provider1_fedindex1. The provider1_fedindex1 federated index is mapped to the remote dataset stored on Federated Provider 1. The remote search head uses this mapping to send the events in the remote index to the federated search head on your local deployment. The federated search head runs the stats count operation on those events. When this stats count aggregation is complete, the federated search head presents the results without additional processing, as there are no additional datasets involved in the search.

See Run federated searches to learn how to write federated searches.

Supported federated search configurations

The types of federated search configurations you can run depends on the type of Splunk platform deployment you are running locally.

Type of the local Splunk platform deployment Splunk platform deployment types you can set up as federated providers
Splunk Cloud Platform (version 8.1.2012 or higher) Splunk Cloud Platform (version 8.1.2012 or higher)
Splunk Enterprise (version 8.2.0 or higher) Splunk Cloud Platform (version 8.2.2104 or higher)

Splunk Enterprise (version 8.2.0 or higher)

If your local deployment is on Splunk Cloud Platform, you can run federated searches over other Splunk Cloud Platform deployments. If your local deployment is on Splunk Enterprise, you can run federated searches over remote Splunk Cloud Platform deployments and remote Splunk Enterprise deployments.

If you have a Splunk Enterprise deployment that is lower than 8.2 and want to run federated searches without upgrading the entire deployment, you can upgrade a single search head in that deployment to 8.2 and run federated searches from that search head.

Currently federated search for Splunk Enterprise is limited to Splunk Enterprise deployments that have been built over the Linux operating system. This restriction does not affect Splunk Cloud Platform deployments.

Federated search security

When you run a federated search, the communication between the local Splunk platform deployment and any remote Splunk platform deployment that you designate as a federated provider is facilitated by a dedicated service user account. This account is set up on the federated provider. When you run a federated search that involves that federated provider, the federated provider portion of the search runs in the context of that service account.

You can apply role-based access control filters to a federated provider service account to restrict the range of data that federated searches can access on a federated provider. For example, you can set up service accounts that have index restrictions, SPL filters, restrictions on search time ranges, and more. If you set up federated indexes that search saved search datasets, you can also limit access to those searches by adjusting their permissions.

On the local Splunk platform deployment, you can also set up role-based index restrictions for the federated indexes that you define.

As a best practice for federated search security, you can set up a role on the local Splunk platform deployment that strictly limits its index permissions to only the local and federated indexes that are necessary for federated searches. Assign this role to users on the local deployment that must run federated searches.

See the following topics for more information about setting up role-based access control restrictions:

Getting set up to run federated searches

To run a federated search you must first create federated provider definitions for the remote Splunk platform deployments that you intend to search. See Define a federated provider.

After you create your federated provider definitions, you must create federated indexes. Each federated index you create is mapped to a specific dataset on a federated provider that you plan to search with federated searches. See Create a federated index.

Running federated searches

For information about constructing and running federated searches, see Run federated searches.

Last modified on 16 September, 2021
Scheduling searches
Migrate from hybrid search to federated search

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2105 (latest FedRAMP release), 8.2.2106

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters