Target search routing using the splunk_federated_provider predicate

Users can add the splunk_federated_provider=<provider_name> predicate to supported index-based searches to target specific transparent mode federated providers. This limits the search to the selected providers, subject to the user's RBAC permissions, which helps manage system resources and improves search performance by limiting the scope of operations to specific providers.

When using the splunk_federated_provider predicate, the syntax is case-insensitive and supports several flexible matching options. Users can perform exact matches for specific providers or use wildcards, such as splunk_federated_provider=provider-site*, to target groups of providers. The predicate also supports IN syntax, which lets users specify multiple providers in a single search, such as splunk_federated_provider IN (provider-site2, provider-site3).

Users should be aware that the predicate has the following limitations when used in federated searches:

• It can only be used with index-based generating commands, including search, multisearch, tstats, mstats, and mcatalog.

• It can't be used with tstats searches that rely on data models.

• It can't be used as a search filter within the Roles page configuration.

• It does not support negation operators, such as splunk_federated_provider!= provider-site2.

The predicate ensures that searches only get data from the providers that are explicitly named in the predicate, along with any other providers to which the user's role has access. For example, if the default provider for the user's role is provider-site2, then the following search will be sent to provider-site2 and provider-site3:

index=test1 OR (index=test2 splunk_federated_provider=provider-site3)

However, the splunk_federated_provider=provider-site3 predicate forces the search to access only the test2 index on provider-site3.