Splunk Cloud Platform

Search Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Create a federated index

After you set up one or more remote Splunk platform deployments as standard mode federated providers for your local Splunk platform deployment, you need to create federated indexes for use in federated searches. Each federated index you create maps to one remote dataset on a standard mode federated provider.

Transparent mode federated providers do not use federated indexes. If you are running all of your federated searches in transparent mode, you can skip this topic.

The Splunk platform creates federated indexes on the federated search head of your local Splunk platform deployment. Federated indexes are events indexes.

In this task, you:

  • Provide the name of the federated index.
  • Select a standard mode federated provider. The federated provider must contain the remote dataset to which the federated index is mapped.
  • Specify the remote dataset to which the federated index is mapped.

You can map a federated index to only one remote dataset at a time. If a federated provider contains several remote datasets over which you want to run federated searches, define a separate federated index for each dataset.

See About federated search for an overview of the standard and transparent modes of federated search.

Specifying remote datasets

When you create a federated index, you map the index to a specific remote dataset on a standard mode federated provider. Remote datasets can be events indexes or saved searches.

Remote dataset type Definition
Events index Each events index on a federated provider is a searchable dataset.
Saved search The result set produced by a run of a saved search on a federated provider is a searchable dataset.

Benefits of remote saved search datasets

You can use saved search datasets to get around certain limitations of federated searches. For example, federated searches cannot be the following kinds of searches:

  • Searches that use metrics search commands such as mstats to search data in metrics indexes.
  • Searches that use the tstats command to reference data models.
  • Searches that use any generating commands other than search or from.

However, you can create federated indexes that map to these kinds of saved searches, as saved search datasets. Then you can write federated searches that reference those federated indexes. See Run federated searches.

Remote dataset restrictions

The following kinds of indexes and saved searches cannot be used as remote datasets for federated searches. Do not map federated indexes to them.

  • Metrics indexes
  • Federated indexes
  • Saved searches that contain references to federated indexes

Review the permission settings on saved searches that you want to use as federated search datasets. Such saved searches must either be shared globally, or they must have the same app context as the federated provider that the federated index is associated with.

For example, if you are creating a federated index for a federated provider that is associated with the Search app, any saved search dataset for that index must be shared with the Search app as well, or shared globally.



  1. On the local Splunk platform deployment, in Splunk Web, go to Settings > Federated Search.
  2. On the Federated Indexes tab, click Add Federated Index.
  3. Using the following table, specify the settings for your federated index.
    Setting Description Default value
    Federated Index Name Specify the name of the federated index you're creating. The name must reference the remote dataset it maps to.

    Federated index names have the following restrictions:
    • They may contain only lowercase letters, numbers, underscores, and hyphens.
    • They must begin with a letter or number.
    • They cannot be more than 2048 characters in length.
    • They cannot contain the string "kvstore".
    No default
    Federated Provider Select the standard mode federated provider that contains the dataset to which this federated index will map. No default
    Remote Dataset Specify the remote Dataset Type that this federated index maps to and provide the Dataset Name.

    For Dataset Name, provide the name of a dataset of the selected Dataset Type that currently exists on the selected federated provider.
    Dataset Type defaults to Index.

    Dataset Name has no default.
  4. Click Save to save the federated index configuration.

The index is created on the federated search head of your local Splunk platform deployment.

In Splunk Web, you can view the federated indexes that you create for your deployment by selecting Settings > Federated Search > Federated Indexes.

Do not designate federated indexes as default indexes for roles or data inputs.

Currently, federated indexes do not appear on the Indexes listing page at Settings > Indexes.

Give your users access to federated indexes

After you create a federated index, you must give your federated search users access to the index. If you do not do this, your users cannot search the remote dataset that the federated index maps to.

Just as with normal Splunk indexes, you grant access to federated indexes at the role level. This lets you grant federated index access to certain groups of users while disallowing access to other user groups.

To learn how to add a federated index to the set of searchable indexes for a role, see the section on federated indexes in Service accounts and federated search security.

Next step

After you create your federated indexes, you can reference them in federated searches. When you reference a federated index in a search, you are searching over the remote dataset to which the federated index maps. See Run federated searches.

Last modified on 10 February, 2022
Define a federated provider
Run federated searches

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2109, 8.2.2111, 8.2.2112

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters