Splunk Cloud Platform

Search Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Define a federated provider

The first step to setting up federated search on your local Splunk platform deployment is defining one or more federated providers for that deployment. A federated provider is a remote data source that contains the remote datasets that you want to query on your local deployment with your federated searches.

Prerequisites

  • Read About federated search to familiarize yourself with federated search concepts and terminology.
  • You must have a role with the admin_all_objects capability.
  • Gather the unique host name of the remote Splunk platform deployment that you want to set up as a federated provider. The format of the host name depends on whether your local Splunk platform deployment uses search head clustering. See the following table for the right host name format for your deployment type.
Deployment type Uses search head clustering? Host name format Host name example
Splunk Cloud Platform No <stack name>.splunkcloud.com buttercupgames.splunkcloud.com
Splunk Cloud Platform Yes <stack name>-shc.splunkcloud.com
or shc-<stack name>.splunkcloud.com
shc-buttercupgames.splunkcloud.com
or kbuttercupgames-shc.splunkcloud.com
Splunk Enterprise No <deployment name>.splunk.com buttercupgames.splunk.com
Splunk Enterprise Yes <deployment name>-shc.splunk.com
or shc-<deployment name>.splunk.com
shc-buttercupgames.splunk.com
or buttercupgames-shc.splunk.com
You can find the <stack name> or <deployment name> in the URL for the main stack of a Splunk platform deployment.
When you connect to a Splunk Cloud Platform federated provider that uses search head clustering, in most cases you will connect to the load balancer for the cluster when you use the URLs described above. This means that the load balancer can manage disruptions if individual search heads within the cluster go offline.
There can be issues with knowledge object management when a federated provider is behind a load balancer. See Should your federated searches use local or remote knowledge objects?

Steps

  1. On your local Splunk platform deployment, in Splunk Web, go to Settings > Federated Search.
  2. On the Federated Providers tab, click Add Federated Provider.
  3. Using the following table, specify the settings for your federated provider.
    Setting Description Default value
    Provider Type Determines the federated provider type. Currently, this setting is fixed. You can define only federated providers that are remote Splunk platform deployments. Splunk
    Provider Mode Select the mode of the federated provider. For a comparison of standard and transparent mode, see About federated search. Standard
    Provider Name Select a unique name for the federated provider. No default
    Remote Host Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.

    You can provide an IP address instead of a host name.

    You can provide any legitimate port number. 8089, the standard management port number, works for any federated provider.

    If you can't connect to port 8089 on a remote Splunk Cloud Platform deployment, contact your Splunk representative to check that the management port is open on the federated provider.

    For the purposes of federated search, communication between local and remote Splunk platform search heads is facilitated by an internal REST API endpoint.

    No default
    Service Account Username
    and
    Service Account Password
    If you do not already have a service account on the federated provider, create one. A service account is a dedicated user account that allows the federated search head on your local Splunk instance to search datasets on the federated provider.

    See Service accounts and federated search security.
    No default
    Application Short Name Specify the short name of an app to apply an application context to searches on the federated provider.
    • If the Local Knowledge Objects setting is disabled, provide the short name of an app that is installed on the remote search head of the federated provider.
    • If the Local Knowledge Objects setting is enabled, provide the short name of an app that is installed on both the federated search head of your local Splunk platform deployment and the remote search head of the federated provider.

    If you leave this setting blank, Splunk software applies search, the short name of the Search & Reporting app, to this setting.

    See Determine which knowledge objects are applied to federated searches.

    search
    Local Knowledge Objects This switch determines whether the portions of federated searches that are processed on this federated provider use knowledge objects from your federated search head or knowledge objects from the remote search head on this federated provider.

    You cannot disable Local knowledge objects for a transparent mode federated provider.

    If you enable the Local Knowledge Objects setting for a standard mode federated provider, wait a few minutes before you try to run federated searches over that federated provider. This feature relies on knowledge bundle replication between the federated search head and the federated provider, which can take some time to complete. If you try to search data on the federated provider before the bundle replication process completes, you might encounter search errors.

    See Determine which knowledge objects are applied to federated searches.

    This setting also has implications for federated search security. See Service accounts and federated search security.
    Disabled, when using standard mode.

    Permanently enabled, when using transparent mode.
  4. Click Save to save the federated provider configuration.

About creating multiple federated provider definitions for the same remote deployment

You can create multiple standard mode federated provider definitions that share the same host name and port for a remote Splunk platform deployment, as long as they all have different Provider name values. You might do this if you want to create different provider definitions for different app contexts on the same remote deployment.

You can create only one transparent mode federated provider definition for a given host name and port.

Next step for a standard mode federated provider

If you have defined a standard mode federated provider, you need to define one or more federated indexes and associate remote datasets from the federated providers to those federated indexes. For more information, see Create a federated index.

Next step for a transparent mode federated provider

If you have defined a transparent mode federated provider, you are ready to run federated searches. See Run federated searches.

Last modified on 15 October, 2021
PREVIOUS
Determine which knowledge objects are applied to federated searches
  NEXT
Create a federated index

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2107


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters