Obtain the AWS Glue Data Catalog database and tables

Note: This topic covers the Define provider step of the workflow for creating an Amazon Security Lake federated provider. You cannot follow this step until you complete the steps that precede it in the federated provider setup workflow. See the checklist of tasks to set up Federated Analytics.

Along with the creation of the Security Lake subscriber for federated search access, which you completed in the previous step (Create subscribers), the Define provider step ensures that you can run federated searches over the remote datasets that you have stored in Amazon Security Lake.

The AWS Resource Access Manager automatically generates a resource share for you when you create your Amazon Security Lake subscriber for federated search access in your Amazon Security Lake account. The resource share contains the names of the AWS Glue database and the AWS Glue tables that you need to add to your federated provider definition in this step.

In the Define Provider step, you obtain the AWS Glue database for your federated provider, and the AWS Glue tables that are contained within that database, and you add the names of those things to the AWS Glue database and AWS Glue tables fields in your federated provider definition. Each AWS Glue table represents a dataset that you store in Amazon Security Lake.

Note: After you finish setting up the Amazon Security Lake subscriber for federated search access, you must complete the Define provider step before 12 hours elapse. If you fail to complete the Define provider step within this 12 hour window, the resource share will expire and you will need to set up your Amazon Security Lake subscriber for federated search access all over again.

Prerequisites

You must already have created a new Amazon Security Lake subscriber for federated search access in your Amazon Security Lake account, and you must have added its Resource share name and Resource share ARN to the federated provider definition. See Create the Amazon Security Lake subscriber for federated search access.

Note: Federated Analytics supports only Amazon Security Lake data. If you try to add AWS Glue databases and AWS Glue tables that reference non-ASL data to this resource share, you will be unable to complete this step of the federated provider setup.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, at the Define provider step of the Add a new federated provider workflow, note the Resource share name value. This is the name of the resource share that AWS Resource Access Manager generated for you when you created your Amazon Security Lake subscriber for federated search access.
  2. On a separate browser tab, navigate to the AWS Resource Access Manager console. Under Shared by me, select Resource shares.
  3. In the Resource shares list, select the Name that matches the Resource share name on the Define provider step of the Add a new federated provider workflow.
  4. In the Define provider step of the Add a new federated provider workflow in Splunk Web, copy and paste in values from the Shared resources list of the detail page for the resource share in AWS Resource Access Manager.
    • Copy the Resource ID of the resource with a Resource type of glue:Database and paste the value into the federated provider's AWS Glue database field.
    • Copy the Resource ID values of the resources with a Resource type of glue:Table and paste them into the federated provider's AWS Glue tables field. When you paste an AWS Glue table value into the AWS Glue tables field, Splunk software will clean it up and remove trailing white spaces. Select the cleaned up value to add it to the field.

    Note: For each glue:Table resource, paste in only the text that follows the last backslash. For example, say you have the following Resource ID value in AWS Resource Access Manager:
    asl_glue_db_us_east_1/asl_table_stored_data_2_0
    In this case, you would paste the following value into the AWS Glue tables field of the Define provider step:
    asl_table_stored_data_2_0
  5. Select I confirm that my AWS Glue Data Catalog resources reside in the same AWS region.
  6. Select Continue to move on to the Set up data lake indexes step. See Set up data ingest and retention rules for data lake indexes.

Note: In the Map federated indexes to AWS Glue tables step, you'll create federated indexes that map to each AWS Glue table you list. You can then reference these federated indexes in your sdselect searches to indicate which Amazon Security Lake dataset you want to search.