Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can Splunk Federated Search be configured for bidirectional search?

meetmshah
SplunkTrust
SplunkTrust
‎07-29-2025 09:26 AM

I want to configure Federated Search so that Deployment A can search Deployment B, and Deployment B can also search Deployment A. I understand that Federated Search is typically unidirectional (local search head → remote provider). Is it possible to configure it for true bidirectional searches in a single architecture (create two separate unidirectional configurations (A→B and B→A))?

Has anyone implemented this setup successfully? Any best practices or caveats would be appreciated.

Also, have anyone implemented this along with ITSI - what are the takeaways and do & don'ts?

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎07-30-2025 12:46 AM

@meetmshah 

I haven't tested this personally. But theoratically by creating two separate unidirectional configurations its feasible. Deployment A acts as a Federated Search Head with Deployment B as its Federated Provider and deployment B also acts as a Federated Search Head with Deployment A as its Federated Provider.

As per document Real-time searches are not supported in Federated Search mode.
#https://docs.splunk.com/Documentation/ITSI/4.20.1/EA/FedSearch

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎07-30-2025 12:20 AM

Thanks for the answer @livehybrid. With respect to - "Yes two different deployments can be fed. search clients for eachother"? - Have you seen an environment with the same? Because I couldn't find any of the Splunk Doc where it's mentioned that the environments can be interconnected.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-29-2025 02:13 PM

Hi @meetmshah 

Yes two different deployments can be fed. search clients for eachother - however the connections will not really know of each other. 

I dont know too much about the best practices here, however *Federated Search for Splunk supports Splunk IT Service Intelligence version 4.16.0 and higher, for transparent mode federated search only* based on the docs.

Note - the federated search docs suggest engaging with your account team and/or support when working with premium apps such as ITSI with federated search.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...