Map a federated index to a remote Splunk dataset

In Federated Search for Splunk, after you set up one or more remote Splunk platform deployments as standard mode federated providers for your local Splunk platform deployment, you need to create federated indexes for use in federated searches. Each federated index you create maps to one remote dataset on a standard mode federated provider.

Note: Federated indexes do not ingest or store data or events. Federated indexes cannot be targets for data inputs. The function of a federated index is to route your federated search to a specific dataset on a standard mode federated provider.

The Splunk platform creates federated indexes on the federated search head of your local deployment.

In this task, you:

  • Provide the name of the federated index.
  • Select a standard mode federated provider. The federated provider must contain the remote dataset that you are mapping the federated index to.
  • Select the remote dataset that you are mapping the federated index to.

You can map a federated index to only one remote dataset at a time. If a federated provider contains several remote datasets over which you want to run federated searches, define a separate federated index for each dataset.

Note: Transparent mode federated providers do not use federated indexes. If you are running all of your federated searches in transparent mode, you can skip this topic.

See About Federated Search for Splunk for an overview of the standard and transparent modes.