Turn off transparent mode

If you are a Splunk platform deployment administrator, you can programatically turn transparent mode Federated Search for Splunk off or on for all users of your deployment with the Splunk REST API /data/federated/settings/general endpoint. When you turn off transparent mode federated search for your Splunk platform deployment, your users can run federated searches over only standard mode federated providers.

For more information about /data/federated/settings/general and other federated search REST API endpoints, see Federated search endpoint descriptions in the REST API Reference Manual.

Requirements

  • Splunk Cloud Platform version 9.0.2212 or higher, or Splunk Enterprise version 9.1.0 or higher.
  • You must have a role with the edit_deployment_server and indexes_edit capabilities.
    • If you use Splunk Cloud Platform, the sc_admin role has these capabilities by default. See Define roles on the Splunk platform with capabilities in the Securing Splunk Cloud Platform manual.
    • If you use Splunk Enterprise, the admin role has these capabilities by default. See in the Securing Splunk Enterprise manual.
  • If you use Splunk Cloud Platform you might need to take extra steps to access your deployment through the Splunk REST API. See Access requirements and limitations for the Splunk Cloud Platform REST API in REST API Tutorials

Authentication and authorization

There are two methods you can use to authenticate and authorize endpoint requests:

  • Authentication token. You can create a valid JWT authentication token in Splunk Web.
  • Username and password.

For more information about REST API authentication and authorization, see Basic Concepts about the Splunk platform REST API in the Splunk Enterprise REST API User Manual.

Get current state of transparent mode search

To determine whether transparent mode search is on or off for your Splunk platform deployment, you can send an HTTP GET request to the /data/federated/settings/general endpoint. For example:

CODE 
curl -k -u admin:changeme -X GET https://localhost:8107/services/data/federated/settings/general

The request output lists general federated search settings for your Splunk platform deployment, including the transparent_mode setting. In this example output, transparent_mode = 0, which means transparent mode is inactive for the deployment. If the output instead shows that transparent_mode has a value of 1, you know that transparent mode is active for the deployment.

CODE 
<title>federated-settings</title>
  <id>https://localhost:8107/services/data/federated/settings</id>
  <updated>2023-01-17T18:16:50+00:00</updated>
  <generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/settings/_new" rel="create"/>
  <link href="/services/data/federated/settings/_reload" rel="_reload"/>
  <link href="/services/data/federated/settings/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>general</title>
    <id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="controlCommandsFeatureEnabled">1</s:key>
        <s:key name="controlCommandsMaxThreads">5</s:key>
        <s:key name="controlCommandsMaxTimeThreshold">5</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:attributes">
          <s:dict>
            <s:key name="optionalFields">
              <s:list>
                <s:item>controlCommandsFeatureEnabled</s:item>
                <s:item>controlCommandsMaxThreads</s:item>
                <s:item>controlCommandsMaxTimeThreshold</s:item>
                <s:item>heartbeatEnabled</s:item>
                <s:item>needs_consent</s:item>
              </s:list>
            </s:key>
            <s:key name="requiredFields">
              <s:list/>
            </s:key>
            <s:key name="wildcardFields">
              <s:list>
                <s:item>.*</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="needs_consent">1</s:key>
        <s:key name="transparent_mode">0</s:key>
      </s:dict>
    </content>
  </entry>

Turn transparent mode search on or off

To turn transparent mode search on or off for your Splunk platform deployment, send an HTTP POST request to the /data/federated/settings/general endpoint. For example, to turn off transparent mode for a Splunk platform deployment, follow these steps.

  1. Run the following HTTP POST request to set transparent_mode to false:
    CODE 
    curl -k -u admin:changeme -X POST https://localhost:management-port/services/data/federated/settings/general -d transparent_mode=false
    Note: To turn transparent mode on, send the same request with transparent_mode=true.
  2. You must reload the federated/settings/general endpoint by calling _reload with the following HTTP POST request; otherwise the change won't take effect:
    CODE 
    curl -k -u admin:changeme -X POST https://localhost:management-port/services/configs/conf-federated/_reload

Here is an example of the output from an HTTP POST request to turn off transparent mode for a Splunk platform deployment.

CODE 
<title>federated-settings</title>
  <id>https://localhost:8107/services/data/federated/settings</id>
  <updated>2023-01-17T18:11:53+00:00</updated>
  <generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/services/data/federated/settings/_new" rel="create"/>
  <link href="/services/data/federated/settings/_reload" rel="_reload"/>
  <link href="/services/data/federated/settings/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>general</title>
    <id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id>
    <updated>1970-01-01T00:00:00+00:00</updated>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
    <link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="controlCommandsFeatureEnabled">1</s:key>
        <s:key name="controlCommandsMaxThreads">5</s:key>
        <s:key name="controlCommandsMaxTimeThreshold">5</s:key>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl"> 
          <s:dict>
            <s:key name="app">system</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">0</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">nobody</s:key>
            <s:key name="perms">
              <s:dict>
                <s:key name="read">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
                <s:key name="write">
                  <s:list>
                    <s:item>*</s:item>
                  </s:list>
                </s:key>
              </s:dict>
            </s:key>
            <s:key name="removable">0</s:key>
            <s:key name="sharing">system</s:key>
          </s:dict>
        </s:key>
        <s:key name="needs_consent">1</s:key>
        <s:key name="transparent_mode">0</s:key>
      </s:dict>
    </content>
  </entry>