Override the default provider for a role
Users and administrators can override the search targeting for the list of default transparent mode federated providers that is configured for a role.
Users and administrators can override the search targeting for the list of default transparent mode federated providers that is configured for a role on the Providers tab, without changing the SPL in the search. This is useful when a search needs to run against a different provider than the role uses by default, which gives users flexibility if they have a different workflow for some searches.
You can override default provider targeting in the following ways:
-
For ad hoc searches: Use a Splunk API REST call with the
federated_remote_providersparameter. The override applies only to that search job. -
For saved searches: Use the
federated_providersparameter in Advanced Edit in Splunk Web to target a specific provider for a saved search.
Override the default provider in an ad hoc search
Use the federated_remote_providers parameter with the Splunk REST API to temporarily override the default provider list for a single ad hoc search. For example, the following curl command runs a search against provider-site2 instead of the default providers configured for the role:
curl -u admin:changeme -k https://localhost:8089/services/search/jobs -d search="search index=main" -d federated_remote_providers="provider-site2"
Override default provider targeting in a saved search
To override default provider targeting for a saved search, follow these steps:
-
In Splunk Web, in Settings, select Searches, Reports and Alerts.
-
Select the saved search you want to edit.
-
Select Edit, then select Advanced Edit.
-
For the
federated_providersparameter, enter the name of the provider that you want the saved search to target.