Prerequisites

  • Read About Federated Search for Splunk to familiarize yourself with federated search concepts and terminology.
  • You must have a role with the edit_federated_providerscapability to create a federated provider.
    • If you use Splunk Cloud Platform, the sc_admin role has this capability by default. See in the Securing Splunk Cloud Platform manual.
    • If you use Splunk Enterprise, the admin role has this capability by default. See Define roles on the Splunk platform with capabilities in the Securing Splunk Enterprise manual.
  • Gather the unique host name of the remote deployment that you want to set up as a federated provider. The format of the host name depends on whether your local deployment uses search head clustering. See the following table for the right host name format for your deployment type.
Deployment type Uses search head clustering? Host name format Host name example
Splunk Cloud Platform No <stack name>.splunkcloud.com buttercupgames.splunkcloud.com
Splunk Cloud Platform Yes shc1.<stack name>.splunkcloud.com shc1.buttercupgames.splunkcloud.com
Splunk Enterprise No <deployment name>.splunk.com buttercupgames.splunk.com
Splunk Enterprise Yes <deployment name>-shc.splunk.com
or shc-<deployment name>.splunk.com		 shc-buttercupgames.splunk.com
or buttercupgames-shc.splunk.com

You can find the <stack name> or <deployment name> in the URL for the main stack of a Splunk platform deployment.

When you connect to a Splunk Cloud Platform federated provider that uses search head clustering, in most cases you will connect to the load balancer for the cluster when you use the URLs described above. The load balancer can handle the distribution of federated search data to and from the search head cluster members. The load balancer can also manage disruptions if individual search heads within the cluster go offline.