Move to federated search

Activate token authentication for the Splunk Cloud Platform deployment

You must activate token authentication for your Splunk Cloud Platform deployment, if it isn't already activated. See Enable or disable token authentication in Securing Splunk Cloud Platform.

Configure the IP allow list for the Splunk Cloud Platform deployment

You must configure the IP allow list for the Splunk Cloud Platform deployment through the IP allow list page in Splunk Web. For details, see Configure IP allow lists using Splunk Web in the Splunk Cloud Platform Admin Manual.

The IP allow list use case is Search head API access.

In the IP allow list, provide the Splunk Enterprise deployment search head or search head cluster subnets using CIDR notation following this format: <ip_address>/32.

Create a service account for the Splunk Cloud Platform deployment

A service account is a dedicated user account that you create on the remote Splunk Cloud Platform deployment over which you want to run federated searches. The service account allows users on the local Splunk Enterprise deployment to apply their own data access privileges and permissions to the searches they run over the remote deployment. The service account must have a role with the fsh_manage capability.

See Service accounts and security for Federated Search for Splunk.

Turn off hybrid search on your Splunk Enterprise and Splunk Cloud Platform deployments

Turn off hybrid search on your local Splunk Enterprise deployment before you set up federated provider definitions on that deployment. See Turn off hybrid search in the Splunk Cloud Platform Admin Manual.

Turn hybrid search off on your remote Splunk Cloud Platform deployment before you define your remote deployment as a federated provider for your local Splunk Enterprise deployment.

Splunk Customer Support will assist you in turning off hybrid search functionality configured for your Splunk Cloud Platform deployment. Log in to Splunk.com, select the Support drop-down at the top of the page, and choose the support option that best suits your needs.

Create a federated provider definition for the Splunk Cloud Platform deployment

You create a federated provider definition for your Splunk Cloud Platform deployment through the Federated Provider page. The Federated Provider page is available in Settings. These settings determine how the federated search head on your Splunk Enterprise deployment collaborates with the remote search heads on your federated provider to run a federated search.

See Define a Splunk platform federated provider.

When you set up a Splunk Cloud Platform environment as a federated provider, you:

Now you are ready to run federated searches.

Write and run federated searches

Under transparent mode you can run the same kinds of searches that you used for hybrid search, without changes to syntax.

See Run federated searches over remote Splunk platform deployments for more information about writing federated searches and about restrictions on federated searches.