Define a Snowflake dataset

Create a Snowflake dataset definition to facilitate federated searches of a specific Snowflake table or view.

After you create a Snowflake connection, you define Snowflake datasets for use in federated searches. Each Snowflake dataset you define lets you run federated searches over a specific Snowflake table or view that is covered by the connection that you associate with the dataset.

  • You must have a Splunk Cloud Platform (SCP) deployment that is hosted on AWS (Amazon Web Services).

  • You must have a role on your SCP deployment that has the edit_connections and edit_datasets capabilities. See Define roles on the Splunk platform with capabilities in Securing Splunk Cloud Platform.

  • You must have a Snowflake environment. Federated Search for Snowflake works with Snowflake environment in any AWS cloud region. As a best practice, this environment should be in the same AWS cloud region as your Splunk Cloud Platform deployment.

  • You must have a valid Snowflake connection. See Create a Snowflake connection.
Note: Federated Search for Snowflake currently does not support search over Snowflake warehouses located in Azure or Google Cloud Platform (GCP) environments.
  1. In the Data Management app, on the Datasets page, select Create dataset.
  2. On the Select data store page, choose Snowflake, then select Next.
  3. On the Configure connection page, do one of the following things.
    • If a suitable Snowflake connection already exists for this dataset, select it from the Associated connection drop-down list and select Next.
    • If a suitable Snowflake connection does not already exist for this dataset, select Create connection. You are prompted to navigate away from the current screen to create a new connection. See Create a Snowflake connection. When you have successfully created a new connection, select Next.
  4. On the Define dataset page, provide values for the following fields, and then select Next.
    Settings Description
    Dataset name Supply a unique name for your dataset. The dataset name can contain only alphanumeric characters, underscores, and hyphens.
    Dataset description (Optional) Provide a description for your dataset.
    Table or view name Provide the name of the Snowflake table or view that you want to search. This table or view must belong to the database and schema identified in the definition of the connection that this dataset is associated with.
  5. (Optional) On the Configure dataset step, select Define the time field if your dataset contains time-series data and you intend to use time-based fields and functions when you run searches over it.
    Note: If you have a time field in your table or view and you do not define it, searches of this dataset that have time range filters return incorrect results.

    If you select Define the time field, you must identify the Time field, Time format, and UNIX time field. These settings identify the time field in your dataset, provide its time format, and indicate the UNIX time field alias you want to use in your searches.

    Note: You do not need to fill out the Time zone field. It is superfluous and will be removed in an upcoming release.

    For more information about the Time settings fields, see Identify the time field in a Snowflake dataset.

  6. Select Next.
  7. On the Review page, review your dataset definition. If the details appear correct, select Create Dataset to create your dataset.
After you create your Snowflake dataset there are two things you should do: