Overview of the federated search options for the Splunk platform
Federated search, in its most broad definition, is a tool that allows you to search remote datasets throughout your data ecosystem from a single Splunk platform search interface. With federated search, you can break down your data collection silos and get cross-functional insights into data patterns and correlations that previously were unavailable to you, while managing security requirements with role-based data access controls.
The Splunk platform currently offers 5 federated search options:
- Federated Search for Splunk
- Federated Search for Amazon S3
-
Federated Search for Microsoft Azure
-
Federated Search for Azure Databricks
-
Federated Analytics for Amazon Security Lake
Federated Search for Splunk is available for users of Splunk Enterprise and Splunk Cloud Platform. The other federated search options are available only for users of Splunk Cloud Platform.
Federated Search for Splunk
Federated Search for Splunk grants you a unified view of the Splunk platform data stored across your entire organization. With a single search you can efficiently return events from any Splunk Cloud Platform or Splunk Enterprise environment to which you have access.
Federated Search for Splunk is a feature that is available to users of Splunk Cloud Platform and Splunk Enterprise. You can configure Federated Search for Splunk between any combination of those two environment types (Enterprise to Enterprise, Cloud to Cloud, Enterprise to Cloud, and Cloud to Enterprise). You can also use Federated Search for Splunk to search multiple remote Splunk environments from the same local search head.
You can set up Federated Search for Splunk with just a few steps. To get started, see About federated search for Splunk.
Federated Search for Amazon S3
Federated Search for Amazon S3 lets you search remote datasets in your Amazon S3 buckets, allowing you to retrieve the search results directly in your Splunk Cloud Platform instance for correlation, enrichment, and analysis, all without ever having to ingest or index that data beforehand. When you run these federated searches, you use SPL2 search commands and syntax.
Possible uses of Federated Search for Amazon S3 include, but are certainly not limited to the following scenarios:
- Threat hunting over historical data
- Provision of as-needed dataset access for compliance
- Creation of statistical reports and analytical searches that leverage historical data
- Exploration of stored Amazon S3 data, in the interest of locating data to ingest to Splunk
Federated Search for Amazon S3 is part of the Data Management app, where you'll set up your federated search experience through the definition of connections and datasets.
Federated Search for Amazon S3 is available only for Splunk Cloud Platform deployments in AWS regions. To activate Federated Search for Amazon S3, you must contact your Splunk sales representative. For more information, see Overview of Federated Search for Amazon S3.
Federated Search for Microsoft Azure
A brief overview of federated search for Microsoft Azure.
Federated Search for Microsoft Azure lets you run federated searches from your Splunk platform deployment over datasets located in Microsoft Azure Data Lake Storage and Azure Blob Storage containers. When you run these federated searches, you use SPL2 search commands and syntax.
Federated Search for Microsoft Azure is part of the Data Management app, where you'll set up your federated search experience through the definition of connections and datasets.
Federated Search for Azure Databricks
A brief overview of Federated Search for Azure Databricks.
Federated Search for Azure Databricks lets you run federated searches from your Splunk platform deployment over Azure Databricks tables stored remotely in Unity Catalog. When you run these federated searches, you'll use SPL2 search commands and syntax.
Federated Search for Azure Databricks is part of the Data Management app, where you'll set up your federated search experience through the definition of connections and datasets.
Federated Analytics for Amazon Security Lake
A brief overview of Federated Analytics for Amazon Security Lake.
-
For threat detection, you can ingest recent Amazon Security Lake data into local indexes on your Splunk Cloud Platform deployment, and then apply high-frequency scheduled searches and alerts to that data.
-
For threat hunting, you can run infrequent ad hoc federated searches over long time-range Amazon Security Lake datasets where they live in Amazon S3.
Federated Analytics is available only for Splunk Cloud Platform deployments in AWS regions. To activate Federated Analytics, you must contact your Splunk sales representative. For more information, see About Federated Analytics.