Platform: Federated Data Management

Community Office Hours
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Platform: Federated Data Management

Platform: Federated Data Management

1 Comment
Cover Images - Office Hours (3).png
Published on ‎03-31-2025 12:05 PM by Splunk Employee | Updated on ‎06-25-2025 01:41 PM

Register/Watch OnDemand here.  This thread is for the Community Office Hours session on Platform: Federated Data Management on Wed, June 18, 2025 at 1pm PT / 4pm ET

 

Ask the experts at Community Office Hours! An ongoing series where technical Splunk experts answer questions and provide how-to guidance on various Splunk product and use case topics.

 

What can I ask in this AMA?

  • How do Data Management, Federated Search, and Federated Analytics work together? Can I get a demo?
  • How can I optimize my data design according to its use case (detection, investigation, threat hunting, compliance, etc.)?
  • How does Splunk enable data federation across Amazon Security Lake and S3? What tools are available to me?
  • How can I onboard data from any data store or end points?
  • How can I start filtering and routing data with Edge Processor or Ingest Processor?
  • How can I optimize my Edge Processor or Ingest Processor pipelines?
  • Anything else you’d like to learn!

 

Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here)

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (2)
0 Karma
adepp
Splunk Employee
Splunk Employee
‎06-25-2025 01:40 PM
‎06-25-2025 01:40 PM

Hi everyone! Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel - request access here) :

 

Q1: How does Splunk enable data federation across Amazon Security Lake and S3? What tools are available to me?

  • FS-S3 + FA-ASL
  • Runs on Splunk Cloud
  • Set up Federated Search for infrequent, ad-hoc quering
    • Glue table + resource share from AWS
    • search using sdselect
  • Set up Data Lake Indexing for frequent querying and ES use cases

Q2: How is the Amazon S3 data searched through Splunk?

  • To access S3 data today, customers need to use the new SPL command ‘sdselect’, which follows a SQL-like syntax. 
  • In the future, ‘sdselect’ will be replaced with SPL2.
  • sdselect command syntax

Q3: How do I forward my logs to Edge Processor once I’ve successfully configured it? Script is showing as healthy. 

 

Other Questions (check the #office-hours Slack channel for responses):

  • How do Data Management and Federation work together?
  • How can I optimize DSU consumption for  FS-S3 use case?
  • Datamodel Acceleration via Federated Search
  • AWS S3 Replay in Splunk Cloud
0 Karma