Splunk Cloud Platform

Federated Search

Turn off transparent mode

If you are a Splunk platform deployment administrator, you can programatically turn transparent mode Federated Search for Splunk off or on for all users of your deployment with the Splunk REST API /data/federated/settings/general endpoint. When you turn off transparent mode federated search for your Splunk platform deployment, your users can run federated searches over only standard mode federated providers.

For more information about /data/federated/settings/general and other federated search REST API endpoints, see Federated search endpoint descriptions in the REST API Reference Manual.

Requirements

Authentication and authorization

There are two methods you can use to authenticate and authorize endpoint requests:

  • Authentication token. You can create a valid JWT authentication token in Splunk Web.
  • Username and password.

For more information about REST API authentication and authorization, see Basic Concepts about the Splunk platform REST API in the Splunk Enterprise REST API User Manual.

Get current state of transparent mode search

To determine whether transparent mode search is on or off for your Splunk platform deployment, you can send an HTTP GET request to the /data/federated/settings/general endpoint. For example:

curl -k -u admin:changeme -X GET https://localhost:8107/services/data/federated/settings/general

The request output lists general federated search settings for your Splunk platform deployment, including the transparent_mode setting. In this example output, transparent_mode = 0, which means transparent mode is inactive for the deployment. If the output instead shows that transparent_mode has a value of 1, you know that transparent mode is active for the deployment.

  <title>federated-settings</title>
  <id>https://localhost:8107/services/data/federated/settings</id>
  <updated>2023-01-17T18:16:50+00:00</updated>
  <generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/settings/_new" rel="create"/>
  <link href="/services/data/federated/settings/_reload" rel="_reload"/>
  <link href="/services/data/federated/settings/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>general</title>
    <id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="controlCommandsFeatureEnabled">1</s:key>
        <s:key name="controlCommandsMaxThreads">5</s:key>
        <s:key name="controlCommandsMaxTimeThreshold">5</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>controlCommandsFeatureEnabled</s:item>
                <s:item>controlCommandsMaxThreads</s:item>
                <s:item>controlCommandsMaxTimeThreshold</s:item>
                <s:item>heartbeatEnabled</s:item>
                <s:item>needs_consent</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="needs_consent">1</s:key>
        <s:key name="transparent_mode">0</s:key>
      </s:dict>
    </content>
  </entry>

Turn transparent mode search on or off

To turn transparent mode search on or off for your Splunk platform deployment, send an HTTP POST request to the /data/federated/settings/general endpoint. For example, here is an HTTP POST request to turn off transparent mode for a Splunk platform deployment by setting transparent_mode to false.

curl -k -u admin:changeme -X POST https://localhost:8107/services/data/federated/settings/general -d transparent_mode=false

If you need to turn transparent mode on, you can send the same request with transparent_mode=true.

Here is an example of the output from an HTTP POST request to turn off transparent mode for a Splunk platform deployment.

  <title>federated-settings</title>
  <id>https://localhost:8107/services/data/federated/settings</id>
  <updated>2023-01-17T18:11:53+00:00</updated>
  <generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/settings/_new" rel="create"/>
  <link href="/services/data/federated/settings/_reload" rel="_reload"/>
  <link href="/services/data/federated/settings/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>general</title>
    <id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="controlCommandsFeatureEnabled">1</s:key>
        <s:key name="controlCommandsMaxThreads">5</s:key>
        <s:key name="controlCommandsMaxTimeThreshold">5</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl"> 
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="needs_consent">1</s:key>
        <s:key name="transparent_mode">0</s:key>
      </s:dict>
    </content>
  </entry>
Last modified on 06 March, 2024
Run federated searches over remote Splunk platform deployments   About Federated Search for Amazon S3

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406, 9.0.2305


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters