Create a Snowflake connection

In the Data Management app, create a Snowflake connection that uses a programmatic access token (PAT) to authenticate federated searches over remote Snowflake tables and views.

Before you can run federated searches of your remote Snowflake tables and views, you must first go to the Data Management app and create a Snowflake connection. The Snowflake connection uses a programmatic access token to authenticate federated searches over Snowflake tables and views that belong to a specific Snowflake warehouse, database, and schema.

You specify the Snowflake warehouse, database, and schema in the definition of the Snowflake connection. You can create multiple Snowflake datasets that use the same Snowflake connection.

  • You must have a Splunk Cloud Platform (SCP) deployment that is hosted on AWS (Amazon Web Services).

  • You must have a role on your SCP deployment that has the edit_connections and edit_datasets capabilities. See Define roles on the Splunk platform with capabilities in Securing Splunk Cloud Platform.

  • You must have a Snowflake account. As a best practice, this account should be in the same AWS cloud region as your Splunk Cloud Platform deployment.

Before you can create a connection that authenticates federated search over a Snowflake dataset, you must first complete the following tasks in the order provided in your Snowflake account. For guidance on how to complete these tasks, use the provided links to Snowflake documentation, or consult Snowflake's Cortex Code AI for instructions.

Note: As a best practice, use a Snowflake account that has the same AWS cloud region as your Splunk Cloud Platform deployment.
Task Documentation
Identify or create a Snowflake role that has the following permissions:
  • USAGE permission for the Snowflake virtual warehouse that contains the data you want to allow your Splunk users to search.
  • USAGE permission for the Snowflake database and schema that contain the tables and views that you want to allow your Splunk users to search.
 Creating custom roles
Set up a network rule with a Type of IPv4 and a Mode of Ingress that allow-lists a set of IP ranges that correspond to the Cloud region of your Splunk Cloud Platform (SCP) deployment.

  • To get an IP address list that corresponds to the Cloud region of your SCP deployment, see IP address allow lists for Cloud regions.

  • Apply this network rule to the Database and Schema that contain the tables and views that you want to enable users to search with this connection.

 Create a network rule
Create a network policy and assign the IP allow list network rule to it. Create a network policy
Create a service user.
  • Assign the role you identified or created earlier to the service user.
  • Activate the network policy for the service user.

Consult Snowflake's Cortex Code AI for guidance on how to create a service user.

To grant the role to the service user, see: Grant the role to users

To activate the network policy for the service user, see: Activate network policies for individual users
Update the authentication policy for the service user to allow it to generate a programmatic access token (PAT). PAT prerequisites authentication
Generate a programmatic access token for the service user. When you generate the PAT, grant access to the role you identified or created earlier.
Note: When you generate this PAT, copy or download the token so you can use it for Snowflake connection setup. You cannot access it again through the Snowflake UI.
Generating a programmatic access token
Note: Keep your Snowflake information open in a separate browser tab throughout the connection creation process, so that you can retrieve required values for authenticating your connection and configuring your dataset.
  1. On your Splunk Cloud Platform deployment, in Splunk Web, open the Data Management app.
  2. Open the Connections page in the Data Management app.
  3. Select Create connection.
  4. On the Select data store page, select Snowflake, and then Next.
  5. On the General page, configure the following settings, and then select Next:
    Setting Description
    Connection name Enter a unique name for the connection. The connection name must start with a lower-case letter and can contain only lower-case alphanumeric characters, underscores, and hyphens.
    Connection description (Optional) Provide a description of the connection.
    Snowflake account ID Provide your Snowflake account ID.
  6. On the Storage authentication page, provide the following settings, and then select Next.
    Note: These settings require prerequisite items that you have already defined in your Snowflake account, such as the name of the Snowflake service user account and the programmatic access token (PAT) for that user. See the Prerequisites section of this topic for more information.
    Setting Description
    Snowflake user name Provide the name of the service user you created for this connection in Snowflake.
    Programmatic access token (PAT) Provide the PAT that you generated for the service user in Snowflake.
    Role (Optional) Provide the name of the role that you assigned to the service user you created in Snowflake.
    Warehouse Provide the name of the Snowflake virtual warehouse that supports search execution in your Snowflake account. The Role must have USAGE permission for this warehouse in Snowflake.
    Database Provide the name of the Snowflake database that contains the data you want your users to search. The Role must have USAGE permission for this database in Snowflake.
    Schema Provide the name of the Snowflake schema that contains the tables and views you want to enable your users to search. The schema must belong to the Database you have supplied for this connection. The Role must have USAGE permission for this schema in Snowflake.
  7. On the Review page, ensure that the entered information is correct, and then select Create to create your connection.

Now that you have created a connection to a specific warehouse, database, and schema in your Snowflake account, you can create a dataset definition that lets you run federated searches over a specific Snowflake table or view covered by that connection. See Define a Snowflake dataset.