Configure index-based search targeting for transparent mode federated providers

Index-based search targeting lets administrators route federated search requests to specific transparent mode federated providers based on the indexes in a search. This gives you more control over which remote Splunk platform deployments receive search requests.

Use index-based search targeting to reduce unnecessary requests to federated providers and limit where searches and search logs are sent. This can improve search performance, reduce system overhead, and give administrators more control over sensitive search activity in distributed Federated Search for Splunk environments. For example, by targeting searches only to relevant providers, you can minimize exposure of sensitive information and help ensure that search logs are available only where they are needed.

Administrators can use the following REST endpoint parameters to configure index-based provider selection for Federated Search for Splunk by specifying which indexes federated search heads can access from federated providers when operating in transparent mode:

  • The allowIndexBasedProviderFiltering parameters, on the data/federated/settings/general endpoint, which turns on index-based filtering for federated providers.
  • The fedSrchIndexesAllowed parameters, on the data/federated/provider/{federated_provider_name} endpoint, which specifies indexes that are accessible from each federated provider.

How index-based search targeting works

When the allowIndexBasedProviderFiltering parameters is set to true, the federated search head compares the indexes in a search with the fedSrchIndexesAllowed value for each transparent mode federated provider.

If at least one index in the search matches the provider fedSrchIndexesAllowed value, the provider is included in the federated search. If none of the indexes match, the provider is excluded.

For example, if a provider has fedSrchIndexesAllowed set to prod_*, the provider is included for the following search:

CODE 
index=prod_data OR index=test_data

The same provider is excluded for this search:

CODE 
index=test_data OR index=test_user

The fedSrchIndexesAllowed setting adds to, but does not override, role-based access control (RBAC). A search can target a provider, but users receive results only from indexes that their roles permit them to search.

Set up index-based search targeting

Use Splunk REST API for federated search endpoints to turn on index-based provider filtering and configure allowed indexes for each transparent mode federated provider, which is necessary to configure index-based search targeting for transparent mode federated providers.

To configure index-based search targeting for transparent mode federated providers, you must first turn on index-based provider filtering. Then, configure the allowed indexes for each transparent mode federated provider.
  1. Turn on index-based provider filtering:
    1. Run the following request on the federated search head to set allowIndexBasedProviderFiltering to true on the Splunk REST API data/federated/settings/general endpoint:
      CODE 
      curl -k -u <username>:<password> -X POST \ https://<host>:<mPort>/services/data/federated/settings/general \ -d allowIndexBasedProviderFiltering=true
  2. Configure allowed indexes for each transparent mode federated provider:
    1. For each transparent mode federated provider, run the following request on the Splunk REST API data/federated/provider/{federated_provider_name} endpoint to set fedSrchIndexesAllowed to the indexes or index patterns that can cause searches to target each provider:
      CODE 
      curl -k -u <username>:<password> -X POST \ https://<host>:<mPort>/services/data/federated/provider/<federated_provider_name> \ -d 'fedSrchIndexesAllowed=<index_or_pattern>;<index_or_pattern>'

      You can set fedSrchIndexesAllowed to one of the following values:

      • A wildcard ( * ), which searches all federated indexes that the provider is allowed to search.
      • A semicolon-separated list of indexes or index patterns.
      • An empty value, which prevents the provider from being searched.
      For example, you can use * as a wildcard in index patterns like this:
      CODE 
      -d 'fedSrchIndexesAllowed=prod_*_test;local*'
      This value matches indexes such as prod_security_test, prod_finance_test, and local_telemetry.

The following example turns on index-based provider filtering and configures a transparent mode federated provider named east_provider that is targeted only by searches that include indexes matching prod_* or security_*.

CODE 
curl -k -u admin:changeme -X POST \ https://localhost:8089/services/data/federated/settings/general \ -d allowIndexBasedProviderFiltering=true
CODE 
curl -k -u admin:changeme -X POST \ https://localhost:8089/services/data/federated/provider/east_provider \ -d 'fedSrchIndexesAllowed=prod_*;security_*'