How Federated Search for Splunk works

The process of Federated Search for Splunk works similarly to distributed search. On a distributed search, the initial processing of a search is handled by the indexers of a Splunk platform deployment, and then the results are aggregated on the search head for that deployment to produce a final result set.

However, in Federated Search for Splunk, federated searches are broken up into parts that are processed on a "local" Splunk platform deployment and parts that are processed on one or more remote Splunk platform deployments. Each of these remote Splunk platform deployments is a federated provider.

For example, say you have a simple federated search that involves only one federated provider. In this case, the federated search process sends the remote portion of the search to the federated provider. On the federated provider, the remote search head and its indexers process the search independently, performing a pre-aggregation of the results. The remote search head then sends the results back to the federated search head on the local deployment, where the local search head aggregates the remote results into the final result set for the complete federated search.

The following diagram illustrates a federated search over a remote deployment. The remote deployment is a standard mode federated provider. The federated provider has an events index dataset that is available for federated searches. On the local deployment, a federated index on the federated search head maps to a remote dataset.

Note: The federated index is included in the diagram because the federated provider in this example is a standard mode federated provider. Transparent mode federated providers do not require federated indexes.

This diagram illustrates a federated search over a remote deployment. The remote deployment is a standard mode federated provider. The federated provider has an events index dataset that is available for federated searches. On the local deployment, a federated index on the federated search head maps to a remote dataset.

A simple federated search for this setup might look like this:

CODE 
index=federated:provider1_fedindex1 | stats count

This search references a federated index named provider1_fedindex1. The provider1_fedindex1 federated index maps to the remote dataset stored on Federated Provider 1. The remote search head uses this mapping to send back events from its remote index dataset to the federated search head on your local deployment. The federated search head runs the stats count operation on those events. When this stats count aggregation is complete, the federated search head presents the results without additional processing, as there are no additional datasets involved in the search.

See Run federated searches over remote Splunk platform deployments to learn how to write federated searches.