About Federated Search for Snowflake
Federated Search for Snowflake lets you run federated searches from your Splunk Cloud Platform deployment over datasets located in Snowflake tables and views.
Federated Search for Snowflake lets you run federated searches from your Splunk Cloud Platform deployment over datasets located in Snowflake tables and views. When you run these federated searches, you use familiar SPL2 search commands and syntax.
Connections and datasets
- Connection
- A Snowflake connection defines how Splunk software securely authenticates a link between a Splunk deployment and one or more Snowflake datasets that belong to a specific Snowflake warehouse, database, and schema. This authentication is facilitated through a programmatic access token (PAT).
- Dataset
- A dataset is defined by a Snowflake table or view. It must be a table or view that belongs to the Snowflake warehouse, database, and schema identified in the definition of the connection with which the dataset is associated. Each dataset must be associated with a single connection. A connection can be associated with multiple datasets.
What you need to get started
-
You must have a Splunk Cloud Platform (SCP) deployment on AWS (Amazon Web Services).
-
Your SCP deployment user account must have a role with the
edit_connectionsoredit_datasetscapabilities. See Define roles on the Splunk platform with capabilities in the Splunk Cloud Platform Manage Users and Security manual. -
You must have a Snowflake environment. Federated Search for Snowflake works with Snowflake environments in any AWS cloud region. As a best practice, your Snowflake environment should be in the same AWS cloud region as your Splunk Cloud Platform deployment.
-
You must set up a number of items in your Snowflake environment to prepare it for federated search, with the ultimate goal of creating a Snowflake service user that can generate a programmatic access token (PAT). You use the PAT to authenticate federated search access to a Snowflake dataset. For more information, see Create a Snowflake connection.
Note: Federated Search for Snowflake currently does not support search over Snowflake warehouses located in Azure or Google Cloud Platform (GCP) environments.
Getting started checklist
The following checklist guides you through the cross-account setup of Federated Search for Snowflake.
| Step | Task | Description |
|---|---|---|
| 1 | Create a Snowflake connection | A connection contains the information you need to authenticate the ability to run federated searches over Snowflake datasets from your Splunk platform deployment. |
| 2 | Define a Snowflake dataset | When combined with a connection, a dataset provides the ability to run searches over a specific Snowflake table or view. This table must belong to the Snowflake warehouse, database, and schema identified in the connection for the dataset. |
| 3 | Give your users role-based access control of federated datasets | After you have successfully created a Snowflake dataset, give your users role-based access to it. |
| 4 | Write and run federated searches over federated datasets with SPL2 | Run federated searches over your Snowflake dataset with SPL2. |