Search over a transparent mode federated provider

When you run searches over a transparent mode federated provider, you can search as if you were searching over your local deployment. No special syntax is required. The search permissions associated with your role govern what you can search on the federated provider.

Searching accelerated data models in transparent mode

After you set up transparent mode federated search, accelerated data models on your local Splunk platform deployment create data model acceleration summaries on indexers of your local deployment and on indexers of your transparent mode federated provider. You do not need to set up accelerated data models on your transparent mode federated provider.

In your federated search, reference a local accelerated data model to return both local and remote results.

Note: The ability to run transparent mode federated searches over accelerated data models requires that both your local and remote Splunk platform deployments be at either Splunk Cloud Platform 9.0.2303 or higher, or Splunk Enterprise 9.1.0 or higher.

See About data models and Accelerate data models in the Knowledge Manager Manual.

Restrictions for transparent mode federated search

Transparent mode federated search does not support the following things:

  • Real-time search.
  • Using the meventcollect command in searches.
  • Using the datamodel command to search remote data models.
  • Using from to search saved search datasets on the federated provider. You can use from to search saved search datasets on your local deployment.
  • Using the federated: syntax to refer to specific federated indexes. Transparent mode searches do not use federated indexes.

Blocked commands for transparent mode federated search

Certain commands are blocked in transparent mode federated searches. When you use a blocked command in a transparent mode federated search, the search returns a warning message and returns results only from your local search head.

The following commands are entirely blocked in transparent mode federated searches:

  • delete
  • dump
  • loadjob
  • map
  • rest
  • run
  • runshellscript
  • script
  • sendalert
  • sendemail

The commands in this list are classified as risky commands. See SPL safeguards for risky commands in Securing Splunk.

In addition, in certain situations, the makeresults and tstats commands are blocked or restricted.

Transparent mode federated searches that use the makeresults command are blocked unless you use the splunk_server or splunk_server_group argument to reference a search head, search head cluster, indexer, or indexer cluster on either your local Splunk platform deployment or the remote federated provider involved in the search. Splunk software processes the makeresults search on the local or remote server that you indicate with either of these arguments. For more information see makeresults in the Search Reference.

tstats searches that include a FROM clause are blocked for transparent mode federated searches over federated providers with Splunk Cloud Platform versions lower than 9.0.2303 or Splunk Enterprise versions lower than 9.1.0. If you use multiple transparent mode federated providers, the tstats search is processed only on federated providers with qualifying versions. For more information see tstats in the Search Reference.