Search over a standard mode federated provider

Federated searches that run over a standard mode federated provider must use a special search syntax to invoke the federated search. When you work with standard mode federated providers and you run a search that does not include this syntax, the search runs only over your local deployment.

Standard mode federated searches are subject to specific requirements and restrictions.

Additional requirements for standard mode federated search

Your administrator must create one or more federated indexes on your local federated search head. Each federated index maps to a specific remote dataset on a federated provider. See Map a federated index to a remote Splunk dataset.
Your role must have permissions for the federated indexes on your local federated search head that you intend to search. See Give your users role-based access control of federated indexes.
All custom knowledge objects in your search, such as calculated fields, event types, tags, and lookups must be present on the remote search head. Calculated fields, and, for some types of searches, lookups, event types, and tags must also be defined on the local federated search head. If this duplication of knowledge objects is not present as required, searches might fail or return errors. See Manage knowledge objects for standard mode federated providers.

Write standard mode federated searches

The basic syntax for a standard mode federated search differs depending on the type of remote dataset that you are referencing in the search. A federated search of an events index dataset requires different syntax than a federated search of a metrics index, saved search, last job, or data model dataset.

However, all standard mode federated searches require a reference to at least one federated index that you have defined on your federated search head. This federated index maps to a remote dataset on the federated provider such as an events index, a metrics index, a saved search, a data model, or the last job run by a scheduled search. See Map a federated index to a remote Splunk dataset.

You can use Boolean operators such as AND and OR to reference multiple federated indexes in a subsearch.

If your role has the admin_all_objects and indexes_edit capabilities, you can view the federated indexes to which you have access and the remote datasets that those federated indexes map to on the Federated Indexes listing page at Settings > Federated Search > Federated Indexes. If your role does not have this capability, get the names of the federated indexes that you can search from your administrator.

Syntax for standard mode federated searches of remote datasets

The following table provides the search commands and syntax required to search various dataset types on a standard mode federated provider. All of the examples use the federated: prefix to invoke a federated index on the federated search head that maps to a dataset on the remote search head.

Note: When you run a standard mode federated search, you must follow the syntax for the dataset type to which your federated index is mapped. For example, you cannot use the from command to reference an events index, and you cannot search a metrics index without using mstats or mcatalog and referencing the federated index to which the federated index is mapped with a WHERE clause. When your search syntax does not match the dataset type, Splunk software returns an error message.


Remote dataset type	Required syntax	More information
events index	Use `search` to search events index datasets. `\| search index=federated:<federated_index_for_events_index>` or `index=federated:<federated_index_for_events_index>`	You can use a wildcard symbol (``) to reference all federated indexes that map to events indexes: `\| search index=federated:`
metrics index	Use `mstats` or `mcatalog` in conjunction with a WHERE clause to search metrics index datasets. `\| mstats <stats-func> WHERE index=federated:<federated_index_for_metrics_index>`	You cannot use a wildcard symbol (`*`) to reference all federated indexes that map to metrics indexes.
saved search	Use `from` or `savedsearch` to reference federated indexes that map to saved search datasets. `\| from federated:<federated_index_for_saved_search>` or `\| savedsearch federated:<federated_index_for_saved_search>`	A saved search dataset is composed of the results of an ad-hoc run of a saved search on the remote search head. For a comparison of saved search and last job datasets, see Map a federated index to a remote Splunk dataset.
last job	Use `from` to reference federated indexes that map to saved search datasets. `\| from federated:<federated_index_for_last_job_dataset>`	A last job dataset is composed of the results of the last job run by a scheduled search on the remote search head. For a comparison of saved search and last job datasets, see Map a federated index to a remote Splunk dataset.
data model	Use `from` to search an unaccelerated remote data model dataset. `\| from federated:<federated_index_for_data_model>` Use `tstats` in conjunction with a `FROM` clause to search an accelerated remote data model dataset. `\| tstats <stats-func> FROM datamodel=federated:<federated_index_for_data_model>`

Restrictions for standard mode federated search

Standard mode federated search does not support the following things:

Generating commands, with the exception of search, eventcount, from, loadjob, mcatalog, mstats, savedsearch, or tstats. For example, standard mode federated searches cannot include the datamodel or inputlookup commands. You can find a list of generating commands in Command types, in the Search Reference.
Using from to reference events index or metrics index datasets.
Real-time search.

Metrics-specific search commands, with the exception of mcollect, mstats and mcatalog. If you must use these commands in a federated search, consider mapping a federated index to a saved search or last job dataset that runs them. See Map a federated index to a remote Splunk dataset.