About the standard and transparent modes

When you define a federated provider, you must decide which mode you want that provider to use. Federated provider modes offer different federated search experiences, and you must select the mode that best fits your needs.

There are two federated provider mode options:

  • Standard mode
    • Choose standard mode if you want to restrict data access to specific remote datasets such as indexes, saved searches, last scheduled search jobs, or data models. Standard mode is the best fit for federated search users who are not migrating from a hybrid search setup.
  • Transparent mode
    • Choose transparent mode if you usehybrid searchand want to migrate to federated search. Transparent mode lets you run your hybrid mode searches without syntax changes.
Note: When you set up federated providers for your local Splunk platform deployment, do not arrange for multiple transparent mode federated providers or a mix of of transparent mode and standard mode federated providers to provide access to the same remote Splunk platform deployment. These practices can introduce unexpected complications, such as duplicated events.
If you must define multiple federated providers for your local deployment that are associated with the same remote deployment, avoid event duplication issues by ensuring that each of those federated providers uses standard mode.

Transparent mode is available in Splunk Cloud Platform version 8.2.2107 and higher and Splunk Enterprise version 9.0.0 and higher. The following table describes the differences between the two modes.

Category Standard mode federated search Transparent mode federated search
Kinds of federated search Applies to the following kinds of federated search:
  • Splunk Cloud Platform to Splunk Cloud Platform
  • Splunk Enterprise to Splunk Enterprise
  • Splunk Cloud Platform to Splunk Enterprise
  • Splunk Enterprise to Splunk Cloud Platform, if you are not migrating to federated search from a hybrid search setup.
 Applies to Splunk Enterprise to Splunk Cloud Platform federated search, if you are migrating from a hybrid search setup.

Also applies to the following kinds of federated search:

  • Splunk Cloud Platform to Splunk Cloud Platform
  • Splunk Enterprise to Splunk Enterprise
Note: The Splunk Cloud Platform to Splunk Enterprise kind of federated search does not support transparent mode.
Provider setup Requires:
  • A federated provider definition.
  • A separate federated index definition for each dataset on the federated provider that you want to search. You can designate remote events indexes, metrics indexes, data models, saved searches, and last scheduled search jobs as searchable datasets.

You can associate a single remote deployment with multiple standard mode federated provider definitions. For example, for one remote deployment you might set up different standard mode federated provider definitions for different application contexts.

 Requires federated provider definition only.
You can associate a single remote deployment with only one transparent mode federated provider definition. See About creating multiple federated provider definitions for the same host name and port.
User permissions applied to remote portion of search The federated search runs on the federated provider with the permissions of the service account user you define on the federated provider. The federated search runs on the federated provider with the permissions of the user who initiates the search on the local deployment.
Application context of remote portion of search Uses the application context set in the federated provider definition. Uses the application context of the local search.
Knowledge objects applied to remote portions of searches Uses knowledge objects that are defined on the remote search head of the federated provider.
See Manage knowledge objects for standard mode federated providers.		 Through bundle replication, uses knowledge objects from the federated search head of the local deployment.
Security The role-based access control permissions for the service account user on the federated provider determine what your local users can search on the federated provider.
In addition, access to federated indexes is role-based, which allows you to restrict your local users' ability to search remote datasets on the federated provider.		 The role-based access control permissions for your local users determine what your users can search on the federated provider, with the exception of remote indexes, the access to which is governed by the remote federated provider service account.
In addition, to activate transparent mode federated search capabilities for the federated provider, the service account must have the fsh_manage capability.
Which local searches run as federated searches on the federated provider? Only local searches that invoke federated indexes run over remote datasets on federated providers. Searches that do not invoke federated indexes run only on your local deployment. When you connect your local instance to a transparent mode federated provider, all of your local searches run over that federated provider as federated searches, whether or not you intend for them to search remote datasets on that provider. This might reduce the performance of searches that you intend to run only over your local deployment.
Special search processing language (SPL) syntax required? Yes No
Can send only specific subsearches to the remote search head? Yes No
Can run entire federated search on the remote search head? Yes No
Provides separate namespace for remote indexes (to avoid name collisions)? Yes No
Can run remote saved searches? Yes No
Can search unaccelerated data models? Yes. In your search, reference a local federated index that maps to a remote data model on the federated provider. Yes. In your search, reference a local data model to get data from your local deployment as well as remote data from the federated provider.
Can search accelerated data models? Yes. In your search, reference a local federated index that maps to a remote accelerated data model on the federated provider. Yes. When you use transparent mode, accelerated data models on your local search head create data model summaries on your local indexers and on the remote indexers of your federated providers. In your search, reference a local accelerated data model to return both local and remote results.
Note: The ability to run transparent mode federated searches over accelerated data models requires that both your local and remote Splunk platform deployments be at either Splunk Cloud Platform 9.0.2303 or higher, or Splunk Enterprise 9.1.0 or higher.
SPL limitations Standard mode searches cannot include:
  • Generating commands, with the exception of search, eventcount, from, loadjob, mcatalog, mstats, and tstats.
  • Metrics commands, with the exception of mcollect, mstats, and mcatalog.
 Transparent mode searches have the following SPL limitations:
  • You cannot run transparent mode federated searches that include the meventcollect or rest commands.
  • You cannot use the from command to reference remote saved search datasets.
  • You cannot use the datamodel command to search remote data model datasets.
  • You cannot use the sdselect command to search Amazon S3 datasets, even if you have a Splunk Cloud Platform deployment with Federated Search for Amazon S3 turned on.
Dataset availability You can search the following types of remote datasets on a federated provider:
  • events indexes
  • metrics indexes
  • saved searches
  • last scheduled search jobs
  • data models
 You can search events indexes and metrics indexes on a federated provider.