Run Federated Analytics searches
After you define your Federated Analytics federated provider, you can use your data lake indexes and federated indexes to run searches of your Amazon Security Lake data. The method you choose depends on the age of the data you want to review.
| Age of data | Location of data | Type of search run | 
|---|---|---|
| Newer data (up to 31 days old, depending on the retention period set for each data lake index) | In data lake indexes on your Splunk Cloud Platform deployment, freshly ingested from your Amazon Security Lake account. | Standard searches that reference data lake indexes, using standard Splunk processing language (SPL). | 
| Older data (whatever exceeds the retention period of your data lake indexes) | In your remote Amazon Security Lake datasets | Searches that use the sdselectcommand to reference federated indexes. Each federated index maps to a specific remote dataset in your Amazon Security Lake account. | 
sdselect search, as related AWS resources are created and accepted in the AWS account to which your Splunk Cloud Platform belongs.Search recent Amazon Security Lake data in your data lake indexes
When you set up a Federated Analytics federated provider, you define one or more data lake indexes that ingest data from your Amazon Security Lake account on an ongoing basis. All ingested Amazon Security Lake data follows the Open Cybersecurity Schema Framework (OCSF) format, and each index you define has filters that ensure that it ingests only data conforming to a specific OCSF category, such as Application Activity, Findings, or Identity & Access.
You can run a search over one or more data lake indexes by referencing the indexes in your search and then using the same SPL you would use for any other Splunk search. All data lake index names begin with dl_ by default. If you keep this naming convention you can search all of your data lake indexes at once by putting dl_* in your search string. 
Because data lake indexes contain fresh, local data, they are ideal for scheduled searches and alerts that run on a frequent basis.
Here is an example of a simple threat-hunting search of a single data lake index.
index=dl_network_activity_index
  AND _time >= 1716415000
  AND _time <= 1716415000 + <time_window_in_seconds>
  AND traffic.bytes > 66666
  AND src_endpoint.port = 6666
  AND connection_info.protocol_num = 6
  AND traffic.packets = 66
| table traffic.bytes, src_endpoint.ip, dst_endpoint.ipEach data lake index has a data retention period that you define as part of the federated provider setup. Data lake index retention periods can span up to a maximum of 31 days from the time you run your search. If you want to search Amazon Security Lake data with timestamps that exceed the retention periods of your data lake indexes, you will need to run a federated search of the remote datasets in your Amazon Security Lake account.
tstats searches over that data.See Full index-time field extraction for improved performance of data lake index searches.
If you need help with SPL, see the following manuals:
- If you are new to Splunk software and searching, start with the Search Tutorial.
- For detailed information about running searches with SPL see the Search Manual and the Search Reference.
Run federated searches over remote datasets in your Amazon Security Lake account
Run federated searches over your remote Amazon Security Lake datasets where they live in Amazon S3 when you need to access ASL data that you're not ingesting into your data lake indexes, or when you need to review ASL data with timestamps that exceed your data lake index retention periods.
Federated searches over remote Amazon Security Lake datasets are best suited for ad hoc threat hunting searches that you run on an infrequent basis, due to the performance and cost limitations of such searches.
When you write a federated search you must do the following things:
- Begin your search with the sdselectcommand. In federated searches, thesdselectcommand does the most work.
- Invoke a federated index that you defined for your federated provider. Each federated index maps to a specific remote dataset in your Amazon Security Lake account. The sdselectcommand does not support searching multiple federated indexes with a single search.
Here is an example of a simple threat-hunting federated search of the dataset represented by a single federated index.
| sdselect strict=t traffic.bytes, src_endpoint.ip, dst_endpoint.ip 
  FROM dlf_buttercup_fa_all_asl_data_tables_index
  WHERE time >= 1716415000000
  AND time <= 1716415000000 + <time_window_in_seconds> * 1000
  AND (eventDay="20240522" OR eventDay="20240523")
  AND category_name="Network Activity"
  AND traffic.bytes > 66666
  AND src_endpoint.port = 6666
  AND connection_info.protocol_num = 6
  AND traffic.packets = 66For more information about using sdselect to run federated searches, see sdselect command overview.
Run Federated Analytics searches and detections in Splunk Enterprise Security
After you define your Federated Analytics federated provider, you can configure Splunk Enterprise Security to detect and hunt threats in your Federated Analytics data. See Federated Analytics and Splunk Enterprise Security.