Turn off transparent mode
If you are a Splunk platform deployment administrator, you can programatically turn transparent mode Federated Search for Splunk off or on for all users of your deployment with the Splunk REST API /data/federated/settings/general
endpoint. When you turn off transparent mode federated search for your Splunk platform deployment, your users can run federated searches over only standard mode federated providers.
For more information about /data/federated/settings/general
and other federated search REST API endpoints, see Federated search endpoint descriptions in the REST API Reference Manual.
Requirements
- Splunk Cloud Platform version 9.0.2212 or higher, or Splunk Enterprise version 9.1.0 or higher.
- You must have a role with the admin_all_objects and indexes_edit capabilities.
- In Splunk Cloud Platform, the sc_admin role has these capabilities by default. See Define roles on the Splunk platform with capabilities in the Securing Splunk Cloud Platform manual.
- If you use Splunk Cloud Platform you might need to take extra steps to access your deployment through the Splunk REST API. See Access requirements and limitations for the Splunk Cloud Platform REST API in REST API Tutorials
Authentication and authorization
There are two methods you can use to authenticate and authorize endpoint requests:
- Authentication token. You can create a valid JWT authentication token in Splunk Web.
- Username and password.
For more information about REST API authentication and authorization, see Basic Concepts about the Splunk platform REST API in the Splunk Enterprise REST API User Manual.
Get current state of transparent mode search
To determine whether transparent mode search is on or off for your Splunk platform deployment, you can send an HTTP GET request to the /data/federated/settings/general
endpoint. For example:
curl -k -u admin:changeme -X GET https://localhost:8107/services/data/federated/settings/general
The request output lists general federated search settings for your Splunk platform deployment, including the transparent_mode
setting. In this example output, transparent_mode = 0
, which means transparent mode is inactive for the deployment. If the output instead shows that transparent_mode
has a value of 1
, you know that transparent mode is active for the deployment.
<title>federated-settings</title> <id>https://localhost:8107/services/data/federated/settings</id> <updated>2023-01-17T18:16:50+00:00</updated> <generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/> <author> <name>Splunk</name> </author> <link href="/services/data/federated/settings/_new" rel="create"/> <link href="/services/data/federated/settings/_reload" rel="_reload"/> <link href="/services/data/federated/settings/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>general</title> <id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id> <updated>1970-01-01T00:00:00+00:00</updated> <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/> <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/> <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="controlCommandsFeatureEnabled">1</s:key> <s:key name="controlCommandsMaxThreads">5</s:key> <s:key name="controlCommandsMaxTimeThreshold">5</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="eai:attributes"> <s:dict> <s:key name="optionalFields"> <s:list> <s:item>controlCommandsFeatureEnabled</s:item> <s:item>controlCommandsMaxThreads</s:item> <s:item>controlCommandsMaxTimeThreshold</s:item> <s:item>heartbeatEnabled</s:item> <s:item>needs_consent</s:item> </s:list> </s:key> <s:key name="requiredFields"> <s:list/> </s:key> <s:key name="wildcardFields"> <s:list> <s:item>.*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="needs_consent">1</s:key> <s:key name="transparent_mode">0</s:key> </s:dict> </content> </entry>
Turn transparent mode search on or off
To turn transparent mode search on or off for your Splunk platform deployment, send an HTTP POST request to the /data/federated/settings/general
endpoint. For example, here is an HTTP POST request to turn off transparent mode for a Splunk platform deployment by setting transparent_mode
to false
.
curl -k -u admin:changeme -X POST https://localhost:8107/services/data/federated/settings/general -d transparent_mode=false
If you need to turn transparent mode on, you can send the same request with transparent_mode=true.
Here is an example of the output from an HTTP POST request to turn off transparent mode for a Splunk platform deployment.
<title>federated-settings</title> <id>https://localhost:8107/services/data/federated/settings</id> <updated>2023-01-17T18:11:53+00:00</updated> <generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/> <author> <name>Splunk</name> </author> <link href="/services/data/federated/settings/_new" rel="create"/> <link href="/services/data/federated/settings/_reload" rel="_reload"/> <link href="/services/data/federated/settings/_acl" rel="_acl"/> <opensearch:totalResults>1</opensearch:totalResults> <opensearch:itemsPerPage>30</opensearch:itemsPerPage> <opensearch:startIndex>0</opensearch:startIndex> <s:messages/> <entry> <title>general</title> <id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id> <updated>1970-01-01T00:00:00+00:00</updated> <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/> <author> <name>nobody</name> </author> <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/> <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/> <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/> <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/> <content type="text/xml"> <s:dict> <s:key name="controlCommandsFeatureEnabled">1</s:key> <s:key name="controlCommandsMaxThreads">5</s:key> <s:key name="controlCommandsMaxTimeThreshold">5</s:key> <s:key name="disabled">0</s:key> <s:key name="eai:acl"> <s:dict> <s:key name="app">system</s:key> <s:key name="can_change_perms">1</s:key> <s:key name="can_list">1</s:key> <s:key name="can_share_app">1</s:key> <s:key name="can_share_global">1</s:key> <s:key name="can_share_user">0</s:key> <s:key name="can_write">1</s:key> <s:key name="modifiable">1</s:key> <s:key name="owner">nobody</s:key> <s:key name="perms"> <s:dict> <s:key name="read"> <s:list> <s:item>*</s:item> </s:list> </s:key> <s:key name="write"> <s:list> <s:item>*</s:item> </s:list> </s:key> </s:dict> </s:key> <s:key name="removable">0</s:key> <s:key name="sharing">system</s:key> </s:dict> </s:key> <s:key name="needs_consent">1</s:key> <s:key name="transparent_mode">0</s:key> </s:dict> </content> </entry>
Run federated searches over remote Splunk platform deployments | About Federated Search for Amazon S3 |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406, 9.0.2305
Feedback submitted, thanks!