Follow these steps to configure federated search. For more extensive steps, see About Federated Search for Splunk.

1. On the remote federated provider, create the federatedrole role, with admin inheritance.
2. On the remote federated provider, create a user called federateduser that has the federatedrole role.
3. On the federated search head, select Settings then Federated search.
4. Select Add federated provider.
5. Set the Provider mode to the Transparent mode.
6. Enter a provider name and set the remote host with a management port. For example, federatedprovider.splunkcloud.com:8089
7. Provide the username and password credentials of the federateduser account.
8. Select Test connection to verify the search, then select Save.

Real-time searches are currently not supported in federated search mode. Any events stored in itsi_tracked_alerts will not be found by the itsi_event_grouping search. However, the events will be found by the ITSI Rules Engine periodic backfill searches, which run every 12 minutes.

To ensure that event grouping on the federated search head does not conflict with the remote federated provider and create duplicates, turn off the Rules Engine and remove correlation searches from the remote federated provider. To turn off the Rules Engine on the executor node so it doesn't run locally, follow these steps.

1. On the Executor node, select Settings then Searches, reports, and alerts.
2. Change the App: context to All.
3. Search for the itsi_event_grouping search. The Rules Engine runs when this search is turned on.
4. In the Actions column, select Edit then Disable to turn off the Rules Engine on the executor node.

Once federated search is configured, you can create correlation searches.

For example, when you create a correlation search that searches the main index, the scheduled search finds all of the events which are sent to the federated search head's itsi_tracked_alerts as notable events.