Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Federated Search Questions- Authentication option and Indexers?

jonaclough
Path Finder
‎01-18-2023 12:04 AM

Regarding Federated search:

  • Is the only authentication option username and password? We use SSO on the remote search head (LDAP/Reverse Proxy) which would be preferable.
  • Why do you need to explicitly define each remote index on the FSH? Why don’t Splunk allow you to enable all indexes and save the effort of having the maintain the list
Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Contributor
‎01-27-2023 09:37 AM

Hey @jonaclough,

For the first question, you'll have to use the username and password combination only for connecting to the remote search head. You can use a service account user created for federated search activities. 

For second question, I believe it is good to have one to one mapping for index from a security point of view. Not all indexes are required to be allowed/searched on the federated search. Only the required ones as per the use cases can be added.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nejmeddine
Loves-to-Learn
‎05-04-2023 07:17 AM

can i use federated search between different versions splunk?

0 Karma
Reply
Solved! Jump to solution

tej57
Contributor
‎05-22-2023 06:52 PM

Hey @nejmeddine ,

Federated search can work on different Splunk versions as far as backward compatibility meets. You can find the same on the document below:

https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Aboutfederatedsearch#Kinds_of_federated_se...

 

- Hope this helps..!! 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

tej57
Contributor
‎01-27-2023 09:37 AM

Hey @jonaclough,

For the first question, you'll have to use the username and password combination only for connecting to the remote search head. You can use a service account user created for federated search activities. 

For second question, I believe it is good to have one to one mapping for index from a security point of view. Not all indexes are required to be allowed/searched on the federated search. Only the required ones as per the use cases can be added.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...