Steps
- On the local deployment, in Splunk Web, select Settings, then Federation.
- On the Federated Indexes tab, select Add federated index.
- Using the following table, specify the settings for your federated index.
Setting Description Default value Federated Index Name Specify the name of the federated index you're creating. The name must reference the remote dataset it maps to. Federated index names have the following restrictions: - They can contain only lower-case letters, numbers, underscores, and hyphens.
- They must begin with a letter or number.
- They cannot be more than 2048 characters in length.
- They cannot contain the string "kvstore".
No default Federated Provider Select the standard mode federated provider that contains the dataset to which this federated index will map. No default Remote Dataset Specify the remote Dataset Type that this federated index maps to and provide the Dataset Name. For Dataset Name, provide the name of a dataset of the selected Dataset Type that currently exists on the selected federated provider. For last job dataset types, Dataset Name values will be names of scheduled searches.
Dataset Type defaults to Index. Dataset Name has no default. - Select Save to save the federated index configuration.
The index is created on the federated search head of your local deployment.
In Splunk Web, you can view the federated indexes that you create for your deployment by selecting Settings > Federated Search > Federated Indexes.
Note: Do not designate federated indexes as default indexes for roles or data inputs.