Comparison of the standard and transparent modes
Comparison of standard mode and transparent mode in Federated Search for Splunk deployments.
The following table summarizes the differences between the two modes.
| Category | Standard mode federated search | Transparent mode federated search |
|---|---|---|
| Kinds of federated search | Applies to the following kinds of federated search:
|
Applies to the following kinds of federated search:
Note: The Splunk Cloud Platform to Splunk Enterprise kind of federated search does not support transparent mode.
Also applies to Splunk Enterprise to Splunk Cloud Platform federated search, if you are migrating from a hybrid search setup. |
| Provider setup | Requires:
You can associate a single remote deployment with multiple standard mode federated provider definitions. For example, for one remote deployment you might set up different standard mode federated provider definitions for different application contexts. |
Requires federated provider definition only. You can associate a single remote deployment with only one transparent mode federated provider definition. See About creating multiple federated provider definitions for the same host name and port. |
| User permissions applied to remote portion of search | The federated search runs on the federated provider with the permissions of the service account user you define on the federated provider. | The federated search runs on the federated provider with the permissions of the user who initiates the search on the local deployment. |
| Application context of remote portion of search | Uses the application context set in the federated provider definition. | Uses the application context of the local search. |
| Knowledge objects applied to remote portions of searches | Uses knowledge objects that are defined on the remote search head of the federated provider. See Manage knowledge objects for standard mode federated providers. | Through bundle replication, uses knowledge objects from the federated search head of the local deployment. |
| Security | The role-based access control permissions for the service account user on the federated provider determine what your local users can search on the federated provider. In addition, access to federated indexes is role-based, which allows you to restrict your local users' ability to search remote datasets on the federated provider. | The role-based access control (RBAC) permissions for your local users determine what your users can search on the federated provider, with the exception of remote indexes, the access to which is governed by the remote federated provider service account. In addition, to activate transparent mode federated search capabilities for the federated provider, the service account must have the fsh_manage capability. |
| Which local searches run as federated searches on the federated provider? | Only local searches that invoke federated indexes run over remote datasets on federated providers. Searches that do not invoke federated indexes run only on your local deployment. | By default, transparent mode searches can run over the transparent mode federated providers that are selected as default providers for the user’s role. Administrators can use provider-based RBAC and search targeting settings to control which transparent mode providers a role can search and which providers searches target by default. Searches that target unintended providers might reduce performance. See Configure role-based access and search targeting for transparent mode federated providers. |
| Special search processing language (SPL) syntax required? | Yes | No |
| Can send only specific subsearches to the remote search head? | Yes | No |
| Can run entire federated search on the remote search head? | Yes | No |
| Provides separate namespace for remote indexes (to avoid name collisions)? | Yes | No |
| Can run remote saved searches? | Yes | No |
| Can search unaccelerated data models? | Yes. In your search, reference a local federated index that maps to a remote data model on the federated provider. | Yes. In your search, reference a local data model to get data from your local deployment as well as remote data from the federated provider. |
| Can search accelerated data models? | Yes. In your search, reference a local federated index that maps to a remote accelerated data model on the federated provider. | Yes. When you use transparent mode, accelerated data models on your local search head create data model summaries on your local indexers and on the remote indexers of your federated providers. In your search, reference a local accelerated data model to return both local and remote results.
Note: The ability to run transparent mode federated searches over accelerated data models requires that both your local and remote Splunk platform deployments be at either Splunk Cloud Platform 9.0.2303 or higher, or Splunk Enterprise 9.1.0 or higher.
|
| SPL limitations | Standard mode federated search has these SPL limitations:
|
Transparent mode federated search has these SPL limitations:
|
| Dataset availability | You can search the following types of remote datasets on a federated provider:
|
You can search events indexes and metrics indexes on a federated provider. |