Define a federated provider
The first step to setting up federated search on your local Splunk platform deployment is defining one or more federated providers for that deployment. A federated provider is a remote data source that contains the remote datasets that you want to query on your local deployment with your federated searches.
- Read About federated search to familiarize yourself with federated search concepts and terminology.
- You must have a role with the admin_all_objects capability.
- If you use the Splunk Cloud Platform, the sc_admin role has this capability by default. See Manage Splunk Cloud users and roles in the Splunk Cloud Admin Manual.
- If you use Splunk Enterprise, the admin role has this capability by default. See Define roles on the Splunk platform with capabilities in the Securing the Splunk Platform manual.
- Gather the unique host name of the remote Splunk platform deployment that you want to set up as a federated provider. The format of the host name depends on whether your local Splunk platform deployment uses search head clustering. See the following table for the right host name format for your deployment type.
Deployment type Uses search head clustering? Host name format Host name example Splunk Cloud Platform No <stack name>.splunkcloud.com buttercupgames.splunkcloud.com Splunk Cloud Platform Yes shc1.<stack name>.splunkcloud.com shc1.buttercupgames.splunkcloud.com Splunk Enterprise No <deployment name>.splunk.com buttercupgames.splunk.com Splunk Enterprise Yes <deployment name>-shc.splunk.com
or shc-<deployment name>.splunk.com
- You can find the <stack name> or <deployment name> in the URL for the main stack of a Splunk platform deployment.
- When you connect to a Splunk Cloud Platform federated provider that uses search head clustering, in most cases you will connect to the load balancer for the cluster when you use the URLs described above. The load balancer can manage disruptions if individual search heads within the cluster go offline.
- There can be issues with knowledge object management when a federated provider is behind a load balancer. See Should your federated searches use local or remote knowledge objects?
- Create a service user account on each remote Splunk platform deployment that you want to set up as a federated provider. See Service accounts and federated search security.
To run federated searches, Splunk Cloud Platform deployments require additional configuration from Splunk Support. This is true whether the Splunk Cloud Platform deployment is on the local or remote side of the federated search. If you are setting up federated search between two Splunk Cloud Platform deployments, you must contact Splunk Support for both deployments.
If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Customer Support.
- On your local Splunk platform deployment, in Splunk Web, go to Settings > Federated Search.
- On the Federated Providers tab, click Add Federated Provider.
- Using the following table, specify the settings for your federated provider.
Setting Description Default value Provider Type Determines the federated provider type. Currently, this setting is fixed. You can define only federated providers that are remote Splunk platform deployments. Splunk Provider Mode Select the mode of the federated provider. For a comparison of standard and transparent mode, see About federated search.
Transparent mode is recommended only if you are migrating to federated search from a Splunk Enterprise to Splunk Cloud Platform hybrid search setup.
Standard Provider Name Select a unique name for the federated provider.
The provider name can contain only alphanumeric characters and underscores. The provider name cannot be the string splunk by itself. You can use this string with other alphanumeric characters. For example, abcsplunk is a valid provider name.
No default Remote Host Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089.
You can provide an IP address instead of a host name.
You can provide any legitimate port number. 8089, the standard management port number, works for any federated provider.
If you can't connect to port 8089 on a remote Splunk Cloud Platform deployment, contact your Splunk representative to check that the management port is open on the federated provider.
For the purposes of federated search, communication between local and remote Splunk platform search heads is facilitated by an internal REST API endpoint.
No default Service Account Username
Service Account Password
If you do not already have a service account on the federated provider, create one. A service account is a dedicated user account that allows the federated search head on your local Splunk instance to search datasets on the federated provider.
See Service accounts and federated search security.
No default Application Short Name Specify the short name of an app to apply an application context to searches on the federated provider.
When you run a federated search with this federated provider, the federated search applies the application context set by Application Short Name to the portion of the search that takes place on the federated provider. It ignores the application context of the local search head that the search originates from.
- If the Local Knowledge Objects setting is disabled, provide the short name of an app that is installed on the remote search head of the federated provider.
- If the Local Knowledge Objects setting is enabled, provide the short name of an app that is installed on both the federated search head of your local Splunk platform deployment and the remote search head of the federated provider.
If you leave this setting blank, Splunk software applies search, the short name of the Search & Reporting app, to this setting.
See Determine which knowledge objects are applied to federated searches.
search Local Knowledge Objects This switch determines whether the portions of federated searches that are processed on this federated provider use knowledge objects from your federated search head or knowledge objects from the remote search head on this federated provider.
You cannot disable Local Knowledge Objects for a transparent mode federated provider.
If you enable the Local Knowledge Objects setting for a standard mode federated provider, wait a few minutes before you try to run federated searches over that federated provider. This feature relies on knowledge bundle replication between the federated search head and the federated provider, which can take some time to complete. If you try to search data on the federated provider before the bundle replication process completes, you might encounter search errors.
See Determine which knowledge objects are applied to federated searches.
This setting also has implications for federated search security. See Service accounts and federated search security.
Disabled, when using standard mode.
Permanently enabled, when using transparent mode.
- Click Test Connection to test the connection to the remote Splunk deployment that this federated provider definition is meant to set up.
You should see a "Connection successful" message at the top of the dialog if the values that you have provided for the Provider Name, Remote Host, Service Account Username, and Service Account Password fields are correct. If you get an error message instead, it means one or more of those fields has been set incorrectly. Update the fields and repeat this step until you get the Connection successful message. If you having trouble making a connection, see Troubleshoot a federated provider connection.
- Click Save to save the federated provider configuration.
Troubleshoot a federated provider connection
If you are not able to get the Test Connection button to verify a connection between the federated provider and your local Splunk instance, try these troubleshooting methods.
- Make sure you have provided correct values for the Remote Host, Service Account User Name, and Service Account Password fields. Verify that you have created a service account user for the federated provider.
- There may be setup issues that require assistance from Splunk Customer Support, especially if you are trying to set up federated search from or to a Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.
About creating multiple federated provider definitions for the same host name and port
You can create multiple standard mode federated provider definitions that share the same host name and port as long as they all have different Provider name values. You might do this if you want to create different provider definitions for different app contexts on the same remote deployment.
You can create only one transparent mode federated provider definition for the host name and port of a remote search head.
Next step for a standard mode federated provider
If you have defined a standard mode federated provider, you need to define one or more federated indexes and associate remote datasets from the federated providers to those federated indexes. For more information, see Create a federated index.
Next step for a transparent mode federated provider
If you have defined a transparent mode federated provider, you are ready to run federated searches. See Run federated searches.
Determine which knowledge objects are applied to federated searches
Create a federated index
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109, 8.2.2111, 8.2.2112