About the standard and transparent modes
When you define a federated provider, you must decide which mode you want that provider to use. Federated provider modes offer different federated search experiences, and you must select the mode that best fits your needs.
There are two federated provider mode options:
- Standard mode
- Choose standard mode if you want to restrict data access to specific remote datasets such as indexes, saved searches, last scheduled search jobs, or data models. Standard mode is the best fit for federated search users who are not migrating from a hybrid search setup.
- Transparent mode
- Choose transparent mode if you want a simple transition to federated search or if you use hybrid searchand want to migrate to federated search. Transparent mode lets you run your hybrid mode searches without syntax changes.
- Transparent mode is available in Splunk Cloud Platform version 8.2.2107 and higher and Splunk Enterprise version 9.0.0 and higher.
Note: When you set up federated providers for your local Splunk platform deployment, do not arrange for multiple transparent mode federated providers or a mix of of transparent mode and standard mode federated providers to provide access to the same remote Splunk platform deployment. These practices can introduce unexpected complications, such as duplicated events.
If you must define multiple federated providers for your local deployment that are associated with the same remote deployment, avoid event duplication issues by ensuring that each of those federated providers uses standard mode.