Simple search of a large remote events index dataset

Say you have a federated index on your local search head named airline_flights_SF. This federated index is mapped to an events index on a remote deployment that is defined as a federated provider for your local deployment. The remote events index contains 2,000,000 events relating to airline flight departures and arrivals at a San Francisco airport. To return the first 100 events of this large remote dataset, run this search:

index = federated:airline_flights_SF | head 100

Simple search of a remote metrics dataset

Following on from the previous example, you might also have a federated index on your local search head named airline_flights_SF_metrics. This federated index is mapped to a metrics index on a remote deployment that is defined as a federated provider for your local deployment. This remote metrics index contains a significantly large number of metric data points that also relate to San Francisco airline flight arrivals and departures.

The following search returns a count of a specific airline departure metric.

| mstats count(SF.airline.splunkpony.departure_delay_time) where index=federated:airline_flights_SF_metrics

For more information, see mstats in the Search Reference and Overview of metrics in Metrics.

Simple search of a last job dataset

The following search runs over the last job of a scheduled search. The scheduled search runs at the start of each hour and returns information about security badge errors at gates for the preceding hour.

| from federated:badge_errors_last_hour | timechart span=1m count by gate usenull=f

Combine local and standard mode federated search results for comparative analysis

Say you want to investigate the performance of specific airline carriers at competing airports. The following search uses the union command to combine a remote saved search dataset of San Francisco flight data and a local events index dataset of New York City flight data. Then it finds the average arrival delay between airports in the combined dataset, broken out by airline.

| union 
  [savedsearch federated:search_of_airline_flights_SF] 
  [search index = airlinedata_NYC] 
| stats avg (ArrDelay) by UniqueCarrier

If you want to search a local events index and a remote events index, you can use an OR operator to combine the results:

index = airlinedata_NYC OR index = federated:airline_flights_SF
| stats avg (ArrDelay) by UniqueCarrier

Aggregate results with join for a count of unique values

The following standard mode federated search uses the join command to aggregate results from the remote and local deployments. It returns the total count of airline carriers running flights out of San Francisco and New York City.

index = federated:airline_flights_SF 
| join left = L right = R where L.UniqueCarrier = R.UniqueCarrier 
  [search index = airlinedata_NYC] 
| stats count

Filter a remote data model dataset search by one or more index names

When you run a tstats search of a remote data model dataset on a standard mode federated provider, it is often helpful to filter the results of the search by one or more indexes. Indexes referenced by the WHERE keyword must be present on the remote search head.

| tstats count from datamodel = federated:remote_dm_1
WHERE index=index_fs_1 OR index=index_fs_2

You can also run tstats searches that mix local and federated indexes.

|tstats count where index=local_index_1 OR index=federated:remote_dm_1

Filter a remote data model dataset search on child data model datasets

When you run a tstats search of a remote data model dataset on a standard mode federated provider, you can filter the results on one or more of the child datasets within the data model by referencing the nodename of the child dataset.

| tstats count from datamodel = federated:remote_dm_1
WHERE nodename = DM_1_DS.DM_1_DS_CHILD_1

See tstats in the Search Reference for more information about using nodename to filter tstats searches on child data model datasets.