Components of a typical federated search setup

Federated search introduces a set of terms. Familiarize yourself with them before you attempt to dig into setting up and running federated searches.

Federated search

A search of one or more remote datasets on one or more federated providers.

Local deployment

The Splunk platform deployment from which you run federated searches. The federated search head for your federated search resides on your local deployment.

In this context, "local" does not refer to your physical location. If you are in London and are logging into a Splunk platform deployment located in New York City when you run a federated search, that New York City deployment is the local deployment for your federated search.

Federated search head

A search head residing on your local deployment that initiates federated searches.

Federated provider

A local or remote Splunk platform deployment containing the data that you search with your federated searches.

Warning: Federated Search for Splunk is designed to work only with remote deployments running the Splunk platform. Using Federated Search for Splunk to connect to any other third-party systems, including providers, is not supported.

Before you can run federated searches, you must create federated provider definitions on the local deployment. A federated provider definition serves several purposes:

  • It enables the federated search head to make network connections to the federated provider and run searches on a remote search head on that provider through a service account.
  • It determines whether the federated provider runs in standard or transparent mode, which in turn affects how you write and run federated searches.

For an overview of the standard and transparent modes, see About the standard and transparent modes.

See Define a Splunk platform federated provider.

Remote search head

A search head on a federated provider.

Federated index

An index you create on your federated search head to run federated searches over standard mode federated providers. Each federated index maps to a specific remote dataset on a standard mode federated provider. Federated indexes do not ingest data or events. They provide a logical mapping to remote datasets. See Map a federated index to a remote Splunk dataset.

Remote dataset

A dataset on a standard mode federated provider. Currently, only events indexes, metrics indexes, data models, saved searches, and last jobs run by scheduled searches qualify as remote datasets. See Map a federated index to a remote Splunk dataset.