Prerequisites for federated index creation
- Read About Federated Search for Splunk to familiarize yourself with federated search concepts and terminology.
- To create federated indexes, you must have a role with the edit_deployment_server and indexes_edit capabilities.
- If you use Splunk Cloud Platform, the sc_admin role has these capabilities by default. See in the Securing Splunk Cloud Platform manual.
- If you use Splunk Enterprise, the admin role has these capabilities by default. See Define roles on the Splunk platform with capabilities in the Securing Splunk Enterprise manual.
- You must define one or more federated providers. See Define a Splunk platform federated provider.
- If your local deployment uses Splunk Enterprise and has a search head cluster as its search tier, you must use the deployer to distribute an additional configuration to the
server.conffiles on your search head cluster members. This configuration enables your federated index definitions to replicate to each member of the search head cluster. See Ensure federated index replication to search head cluster members in your local Splunk Enterprise deployment. - Know the names of the remote datasets to which you want your federated indexes to map.