Splunk Cloud Platform

Search Manual

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Define a federated provider

The first step to setting up federated search on your local Splunk platform deployment is defining one or more federated providers for that deployment. A federated provider is a remote data source that contains the remote datasets that you want to query on your local deployment with your federated searches.

Prerequisites

  • Read About federated search to familiarize yourself with federated search concepts and terminology.
  • You must have a role with the admin_all_objects and indexes_edit capabilities.
  • Gather the unique host name of the remote Splunk platform deployment that you want to set up as a federated provider. The format of the host name depends on whether your local Splunk platform deployment uses search head clustering. See the following table for the right host name format for your deployment type.
Deployment type Uses search head clustering? Host name format Host name example
Splunk Cloud Platform No <stack name>.splunkcloud.com buttercupgames.splunkcloud.com
Splunk Cloud Platform Yes shc1.<stack name>.splunkcloud.com shc1.buttercupgames.splunkcloud.com
Splunk Enterprise No <deployment name>.splunk.com buttercupgames.splunk.com
Splunk Enterprise Yes <deployment name>-shc.splunk.com
or shc-<deployment name>.splunk.com
shc-buttercupgames.splunk.com
or buttercupgames-shc.splunk.com
You can find the <stack name> or <deployment name> in the URL for the main stack of a Splunk platform deployment.
When you connect to a Splunk Cloud Platform federated provider that uses search head clustering, in most cases you will connect to the load balancer for the cluster when you use the URLs described above. The load balancer can manage disruptions if individual search heads within the cluster go offline.
There can be issues with knowledge object management when a federated provider is behind a load balancer. See Should your federated searches use local or remote knowledge objects?

To run federated searches, Splunk Cloud Platform deployments require additional configuration from Splunk Support. This is true whether the Splunk Cloud Platform deployment is on the local or remote side of the federated search. If you are setting up federated search between two Splunk Cloud Platform deployments, you must contact Splunk Support for both deployments.

If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Customer Support.

Steps

  1. On your local Splunk platform deployment, in Splunk Web, go to Settings > Federated Search.
  2. On the Federated Providers tab, click Add Federated Provider.
  3. Using the following table, specify the settings for your federated provider.
    Setting Description Default value
    Provider Type Determines the federated provider type. Currently, this setting is fixed. You can define only federated providers that are remote Splunk platform deployments. Splunk
    Provider Mode Select the mode of the federated provider. For a comparison of standard and transparent mode, see About federated search.

    Transparent mode is recommended only if you are migrating to federated search from a Splunk Enterprise to Splunk Cloud Platform hybrid search setup.

    Standard
    Provider Name Select a unique name for the federated provider.

    The provider name can contain only alphanumeric characters and underscores. The provider name cannot be the string splunk by itself. You can use this string with other alphanumeric characters. For example, abcsplunk is a valid provider name.
    No default
    Remote Host Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.

    You can provide an IP address instead of a host name.

    You can provide any legitimate port number. 8089, the standard management port number, works for any federated provider.

    If you can't connect to port 8089 on a remote Splunk Cloud Platform deployment, contact your Splunk representative to check that the management port is open on the federated provider.

    For the purposes of federated search, communication between local and remote Splunk platform search heads is facilitated by an internal REST API endpoint.

    No default
    Service Account Username
    and
    Service Account Password
    If you do not already have a service account on the federated provider, create one. A service account is a dedicated user account that allows the federated search head on your local Splunk instance to search datasets on the federated provider.

    See Service accounts and federated search security.
    No default
    Application Short Name Specify the short name of an app to apply an application context to searches on the federated provider.

    When you run a federated search with this federated provider, the federated search applies the application context set by Application Short Name to the portion of the search that takes place on the federated provider. It ignores the application context of the local search head that the search originates from.
    • If the Local Knowledge Objects setting is disabled, provide the short name of an app that is installed on the remote search head of the federated provider.
    • If the Local Knowledge Objects setting is enabled, provide the short name of an app that is installed on both the federated search head of your local Splunk platform deployment and the remote search head of the federated provider.

    If you leave this setting blank, Splunk software applies search, the short name of the Search & Reporting app, to this setting.

    See Determine which knowledge objects are applied to federated searches.

    search
    Local Knowledge Objects This switch determines whether the portions of federated searches that are processed on this federated provider use knowledge objects from your federated search head or knowledge objects from the remote search head on this federated provider.

    You cannot disable Local Knowledge Objects for a transparent mode federated provider.

    If you enable the Local Knowledge Objects setting for a standard mode federated provider, wait a few minutes before you try to run federated searches over that federated provider. This feature relies on knowledge bundle replication between the federated search head and the federated provider, which can take some time to complete. If you try to search data on the federated provider before the bundle replication process completes, you might encounter search errors.

    See Determine which knowledge objects are applied to federated searches.

    This setting also has implications for federated search security. See Service accounts and federated search security.
    Disabled, when using standard mode.

    Permanently enabled, when using transparent mode.
  4. Click Test Connection to test the connection to the remote Splunk deployment that this federated provider definition is meant to set up.

    You should see a "Connection successful" message at the top of the dialog if the values that you have provided for the Provider Name, Remote Host, Service Account Username, and Service Account Password fields are correct. If you get an error message instead, it means one or more of those fields has been set incorrectly. Update the fields and repeat this step until you get the Connection successful message. If you having trouble making a connection, see Troubleshoot a federated provider connection.
  5. Click Save to save the federated provider configuration.

Troubleshoot a federated provider connection

If you are not able to get the Test Connection button to verify a connection between the federated provider and your local Splunk instance, try these troubleshooting methods.

  • Make sure you have provided correct values for the Remote Host, Service Account User Name, and Service Account Password fields. Verify that you have created a service account user for the federated provider.
  • There may be setup issues that require assistance from Splunk Customer Support, especially if you are trying to set up federated search from or to a Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.

About creating multiple federated provider definitions for the same host name and port

You can create multiple standard mode federated provider definitions that share the same host name and port as long as they all have different Provider name values. You might do this if you want to create different provider definitions for different app contexts on the same remote deployment.

You can create only one transparent mode federated provider definition for the host name and port of a remote search head.

Next step for a standard mode federated provider

If you have defined a standard mode federated provider, you need to define one or more federated indexes and associate remote datasets from the federated providers to those federated indexes. For more information, see Create a federated index.

Next step for a transparent mode federated provider

If you have defined a transparent mode federated provider, you are ready to run federated searches. See Run federated searches.

Last modified on 09 December, 2022
Determine which knowledge objects are applied to federated searches   Create a federated index

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters