Steps
- On your local deployment, in Splunk Web, select Settings, then Federation.
- On the Federated Providers tab, select Add federated provider.
- Using the following table, specify the settings for your Splunk federated provider.
Setting Description Default value Provider mode Select the mode of the federated provider. For a comparison of the standard and transparent modes of Federated Search for Splunk, see About Federated Search for Splunk. Use transparent mode if you are migrating to federated search from a Splunk Enterprise to Splunk Cloud Platform hybrid search setup.
Note: When you set up federated providers for your local Splunk platform deployment, do not arrange for multiple transparent mode federated providers or a mix of of transparent mode and standard mode federated providers to provide access to the same remote Splunk platform deployment. These practices can introduce unexpected complications, such as duplicated events. If you must define multiple federated providers for your local deployment that are associated with the same remote deployment, avoid event duplication issues by ensuring that each of those federated providers uses standard mode.A remote deployment can be a transparent mode federated provider for one local deployment and a standard mode federated provider for a different local deployment.
Standard Provider name Select a unique name for the federated provider. The provider name can contain only alphanumeric characters and underscores. The provider name cannot be the string splunk by itself. You can use this string with other alphanumeric characters. For example, abcsplunk is a valid provider name. Note: Do not create a new federated provider namedWhen you run federated searches, this Provider name is added to your search results as the value of a field namedlocalbecauselocalis a special value reserved for the local provider that represents the deployment where the federated search head runs.splunk_federated_provider, enabling you to group or filter results by the federated providers that produced them. Thesplunk_federated_providerfield appears in the Interesting Fields list in the Fields sidebar.See Federated provider names added to search results.Note: Federated provider names are case-insensitive. All federated providers that you define for your Splunk platform deployment must have unique names regardless of character case. For example, say you have a provider named MyProvider and you try to create a new provider with a Provider name of myprovider. In this instance, Splunk software prevents you from creating the new provider until you choose a Provider name that is unique, regardless of alphabetical character case.No default Remote host Provide the host name and port number for the federated provider, separated by a colon character. For example: buttercupgames.splunkcloud.com:8089. You can provide an IP address instead of a host name.
You can provide any legitimate port number. 8089, the standard management port number, works for any federated provider.Note: If you can't connect to port 8089 on a remote Splunk Cloud Platform deployment, contact your Splunk representative to check that the management port is open on the federated provider.For the purposes of Federated Search for Splunk, communication between local and remote Splunk platform search heads is facilitated by an internal REST API endpoint.
No default Service account username and Service account password If you do not already have a service account on the federated provider, create one. A service account is a dedicated user account that allows the federated search head on your local Splunk instance to search datasets on the federated provider. See Service accounts and security for Federated Search for Splunk. Note: If you save a transparent mode federated provider definition with incorrect Service Account Username or Service Account Password values, you risk being locked out of the service account, which can prevent you from running searches. Be sure to use Test Connection to verify that you have provided accurate credentials. Fix connection issues before you save the definition.No default Application short name Applies only to standard mode federated providers. Specify the short name of an app to apply an app context to searches on the federated provider. When you run a federated search with this federated provider, the federated search applies the app context set by Application short name to the portion of the search that takes place on the federated provider. It ignores the app context of the local search head that the search originates from. If you leave this setting blank, Splunk software applies search, the short name of the Search & Reporting app, to this setting.
See Set the app context for standard mode federated providers.search Warning and consent Select the check box to agree to the terms of the warning and consent agreement. No default - Select Test connection to test the connection to the remote deployment that this federated provider definition is meant to set up. You should see a "Connection successful" message at the top of the dialog if the values that you have provided for the Provider name, Remote host, Service Account username, and Service account password fields are correct. If you get an error message instead, it means one or more of those fields has been set incorrectly. Update the fields and repeat this step until you get the Connection successful message. If you are having trouble making a connection, see Troubleshoot a federated provider connection.
- Select Save to save the federated provider configuration.
Note: After you create a transparent mode federated provider, use role-based access control (RBAC) to control which roles can access the provider. To restrict access to the provider, configure permissions on the Providers tab for each role on the Roles page. See Configure role-based access and search targeting for transparent mode federated providers