Splunk Federated Search is a feature that allows users to search across multiple, distinct Splunk deployments or instances from a single search head interface. This is particularly useful for organizations with distributed environments or multiple Splunk deployments, as it enables a unified search experience without the need to consolidate all data into a single instance.

How to Setup Federeated Search?

Login to Splunk with user having admin privileges > Settings > Federated Search

Enter details of your Remote Splunk environment

Provider name -> You can have multiple Federated connections, so you can give any name.
Remote host -> DNS/IP of your remote Splunk search-head and management port (default 8089)
Service account username and password -> Credential of remote Splunk (Its recommended to have individual account for federated searches)

Now create a federated index

You have to create a local Federated index/dataset for each index/dataset that you want to search from.
(Dataset: A dataset can be a SavedSearch/Alert/Report or a Datamodel)

Finally you can search the logs from remote Splunk with term “federated”

There are many restrictions and controls you can set over federated searches, ex : you can restrict certain commands to be run over remote indexes.

You can learn more about federated searches here.

Federated search can also be configured to directly pull logs from AWS S3.

1 Comment

Comments are closed.

Get free security consultation