Turn off transparent mode
If you are a Splunk platform deployment administrator, you can programatically turn transparent mode Federated Search for Splunk off or on for all users of your deployment with the Splunk REST API /data/federated/settings/general endpoint. When you turn off transparent mode federated search for your Splunk platform deployment, your users can run federated searches over only standard mode federated providers.
For more information about /data/federated/settings/general and other federated search REST API endpoints, see Federated search endpoint descriptions in the REST API Reference Manual.
Requirements
- Splunk Cloud Platform version 9.0.2212 or higher, or Splunk Enterprise version 9.1.0 or higher.
- You must have a role with the admin_all_objects and indexes_edit capabilities.
- In Splunk Cloud Platform, the sc_admin role has these capabilities by default. See Define roles on the Splunk platform with capabilities in the Securing Splunk Cloud Platform manual.
- If you use Splunk Cloud Platform you might need to take extra steps to access your deployment through the Splunk REST API. See Access requirements and limitations for the Splunk Cloud Platform REST API in REST API Tutorials
Authentication and authorization
There are two methods you can use to authenticate and authorize endpoint requests:
- Authentication token. You can create a valid JWT authentication token in Splunk Web.
- Username and password.
For more information about REST API authentication and authorization, see Basic Concepts about the Splunk platform REST API in the Splunk Enterprise REST API User Manual.
Get current state of transparent mode search
To determine whether transparent mode search is on or off for your Splunk platform deployment, you can send an HTTP GET request to the /data/federated/settings/general endpoint. For example:
curl -k -u admin:changeme -X GET https://localhost:8107/services/data/federated/settings/general
The request output lists general federated search settings for your Splunk platform deployment, including the transparent_mode setting. In this example output, transparent_mode = 0, which means transparent mode is inactive for the deployment. If the output instead shows that transparent_mode has a value of 1, you know that transparent mode is active for the deployment.
<title>federated-settings</title>
<id>https://localhost:8107/services/data/federated/settings</id>
<updated>2023-01-17T18:16:50+00:00</updated>
<generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/settings/_new" rel="create"/>
<link href="/services/data/federated/settings/_reload" rel="_reload"/>
<link href="/services/data/federated/settings/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>general</title>
<id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="controlCommandsFeatureEnabled">1</s:key>
<s:key name="controlCommandsMaxThreads">5</s:key>
<s:key name="controlCommandsMaxTimeThreshold">5</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>controlCommandsFeatureEnabled</s:item>
<s:item>controlCommandsMaxThreads</s:item>
<s:item>controlCommandsMaxTimeThreshold</s:item>
<s:item>heartbeatEnabled</s:item>
<s:item>needs_consent</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="needs_consent">1</s:key>
<s:key name="transparent_mode">0</s:key>
</s:dict>
</content>
</entry>
Turn transparent mode search on or off
To turn transparent mode search on or off for your Splunk platform deployment, send an HTTP POST request to the /data/federated/settings/general endpoint. For example, to turn off transparent mode for a Splunk platform deployment, follow these steps.
- Run the following HTTP POST request to set
transparent_modetofalse:curl -k -u admin:changeme -X POST https://localhost:management-port/services/data/federated/settings/general -d transparent_mode=falseNote: To turn transparent mode on, send the same request withtransparent_mode=true. - You must reload the
federated/settings/generalendpoint by calling_reloadwith the following HTTP POST request; otherwise the change won't take effect:curl -k -u admin:changeme -X POST https://localhost:management-port/services/configs/conf-federated/_reload
Here is an example of the output from an HTTP POST request to turn off transparent mode for a Splunk platform deployment.
<title>federated-settings</title>
<id>https://localhost:8107/services/data/federated/settings</id>
<updated>2023-01-17T18:11:53+00:00</updated>
<generator build="3e6fd7359cb9c52ca06a5afee9190072a54e4d04" version="20230105"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/federated/settings/_new" rel="create"/>
<link href="/services/data/federated/settings/_reload" rel="_reload"/>
<link href="/services/data/federated/settings/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>general</title>
<id>https://localhost:8107/servicesNS/nobody/system/data/federated/settings/general</id>
<updated>1970-01-01T00:00:00+00:00</updated>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="list"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general" rel="edit"/>
<link href="/servicesNS/nobody/system/data/federated/settings/general/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="controlCommandsFeatureEnabled">1</s:key>
<s:key name="controlCommandsMaxThreads">5</s:key>
<s:key name="controlCommandsMaxTimeThreshold">5</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="needs_consent">1</s:key>
<s:key name="transparent_mode">0</s:key>
</s:dict>
</content>
</entry>