Splunk Cloud Platform

Federated Search

Manage existing Amazon Security Lake federated providers, federated indexes, and data lake indexes

After you define an Amazon Security Lake federated provider for Federated Analytics, you can do the following things:

  • Edit the definition of that federated provider, including the definitions of the data lake indexes and federated indexes that are associated with it.
  • Temporarily deactivate federated providers, individual data lake indexes, and individual federated indexes.
  • Permanently delete federated providers and individual federated indexes.

Edit definitions of federated providers, federated indexes, or data lake indexes

You can edit an Amazon Security Lake federated provider definition after you complete all of the steps of federated provider creation, such as the definition of Amazon Security Lake subscribers, the retrieval of AWS Glue information , and the setup of data lake indexes and federated indexes for the federated provider. For more information about these steps, see see About Federated Analytics.

When you select Edit for an Amazon Security Lake federated index or data lake index, you access the definition of the federated provider to which the federated index or data lake index belongs. From there you can edit aspects of that federated provider, as well as aspects of the federated indexes and data lake indexes associated with that federated provider.

Prerequisites

  • A role on your Splunk Cloud Platform deployment that has the admin_all_objects capability.
  • An Amazon Security Lake federated provider that is listed on the Federated Providers tab of the Federation page.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings, then Federation.
  2. Go to the tab for the item that you want to edit: Federated providers, Federated indexes, or Data lake indexes.
  3. Make selections depending on whether you want to edit a federated provider, federated index, or data lake index.
    • If you want to edit a federated provider, select View for the for the federated provider. Then, on the federated provider summary page, select Edit provider.
    • If you want to edit a federated index or data lake index, select Edit for the index. This selection takes you to the edit page for the federated provider to which the index belongs.
  4. (Optional)Add or remove AWS Glue tables.

    If you change the list of AWS Glue tables, you must select Update federated index list to ensure that the federated provider's list of federated indexes corresponds with its AWS Glue tables list.

  5. (Optional) Update Event class and Retention period values for individual data lake indexes.
  6. (Optional) Update time partition settings for individual federated indexes, if they do not match the AWS source version of the Amazon Security Lake dataset to which the federated index is mapped. Select the pencil icon (This icon looks like a pencil. It represents the edit operation.) for a specific index to open the time partition settings window for that index.
  7. Select Save to save your changes.

For more information about setting Event class and Retention period values for data lake indexes, see Set up data ingest and retention rules for data lake indexes.

For more information about federated index time partition settings and the AWS source versions of your Amazon Security Lake datasets, see Optimize federated searches of Amazon Security Lake datasets by defining time partition settings.

Deactivate a federated provider

When you deactivate an Amazon Security Lake federated provider, you are removing the federated provider from active service without deleting it. Deactivated federated providers can be activated again when you need them.

When you deactivate a federated provider, Splunk software deactivates all of the federated indexes and data lake indexes associated with that provider and displays those indexes on the Federated indexes and Data lake indexes tabs with a Status of Provider inactive.

You cannot manually activate individual federated indexes and data lake indexes with a Status of Provider inactive. To activate such indexes you must activate the federated provider to which the indexes belong.

Prerequisites

  • A role on your Splunk Cloud Platform deployment that has the admin_all_objects capability.
  • An Amazon Security Lake federated provider that is listed on the Federated Providers tab of the Federation page.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings, then Federation.
  2. On the Federated providers tab, select Deactivate for the federated provider that you want to take offline.
  3. A warning message appears. If you still want to deactivate the federated provider, select Deactivate.

You can activate an inactive federated provider by following these same steps and selecting Activate where previously you selected Deactivate.

Deactivate a federated index or data lake index

Deactivate individual federated indexes and data lake indexes when you need to temporarily take them offline without deleting them. Deactivated federated indexes and data lake indexes can be activated again when you need them.

When you deactivate an individual federated index, that federated index cannot connect to the dataset to which it is mapped. Federated searches that include a reference to the federated index will not return results from that federated index.

When you deactivate an individual data lake index, that index stops ingesting data from your Amazon Security Lake account. When a data lake index is deactivated, you can still search the data that it contains. A deactivated data lake index cannot ingest new Amazon Security Lake data until you activate it again.

If you deactivate a federated index or data lake index, and you subsequently deactivate the federated provider with which that federated index or data lake index is associated, that federated index or data lake index is not automatically reactivated when you reactivate the federated provider. You must manually reactivate indexes associated with a federated provider after you reactivate the federated provider.

Prerequisites

  • A role on your Splunk Cloud Platform deployment that has the admin_all_objects capability.
  • An Amazon Security Lake federated provider that is listed on the Federated Providers tab of the Federation page.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings, then Federation.
  2. Go to the tab for the type of index that you want to deactivate: Federated indexes or Data lake indexes.
  3. Select Deactivate for the federated index or data lake index that you want to remove from service.
  4. A warning message appears. If you still want to deactivate the federated provider, select Deactivate.

You can activate an inactive federated index or data lake index by following these same steps and selecting Activate where previously you selected Deactivate.

If your federated index or data lake index is deactivated with a Status of Provider inactive, this means that the provider the index is associated with has been deactivated. In this case, to activate the index you must activate its provider.

When you activate a federated provider, all of the federated indexes and data lake indexes associated with the provider are also activated.

Delete a federated provider

You can delete a federated provider that you no longer require, as long as any federated indexes associated with the federated provider have already been deleted. See Delete a federated index.

When you delete a federated provider the following things happen:

  • All of the data lake indexes associated with that federated provider stop ingesting data from Amazon Security Lake.
  • Splunk software removes the data lake indexes from the Federated providers tab, but does not delete them. The data they contain remains searchable. Manage orphaned data lake indexes by selecting Settings, then Indexes.

For more information about the Indexes page in Settings, see Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin Manual.

Prerequisites

  • A role on your Splunk Cloud Platform deployment that has the admin_all_objects capability.
  • An Amazon Security Lake federated provider that is listed on the Federated Providers tab of the Federation page.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings, then Federation.
  2. On the Federated providers tab, locate the federated provider you want to delete and select Delete.
  3. A warning message appears. If you still want to delete the federated provider, select Delete.

Delete a federated index

You can delete an individual federated index that you no longer require.

If you want to delete a federated provider, you must first delete any federated indexes that are associated with that federated provider.

Prerequisites

  • A role on your Splunk Cloud Platform deployment that has the admin_all_objects capability.
  • An Amazon Security Lake federated provider that is listed on the Federated Providers tab of the Federation page.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings, then Federation.
  2. Open the Federated indexes tab.
  3. Locate the federated index you want to delete and select Delete.
  4. A warning message appears. If you still want to delete the federated index, select Delete.
Last modified on 19 December, 2024
Map Amazon Security Lake federated indexes to AWS Glue tables   Give your users role-based access control of data lake indexes and federated indexes

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters