Splunk Search

Federated Search Questions- Authentication option and Indexers?

jonaclough
Path Finder

Regarding Federated search:

  • Is the only authentication option username and password? We use SSO on the remote search head (LDAP/Reverse Proxy) which would be preferable.
  • Why do you need to explicitly define each remote index on the FSH? Why don’t Splunk allow you to enable all indexes and save the effort of having the maintain the list
Labels (1)
Tags (1)
0 Karma
1 Solution

tej57
Contributor

Hey @jonaclough,

For the first question, you'll have to use the username and password combination only for connecting to the remote search head. You can use a service account user created for federated search activities. 

For second question, I believe it is good to have one to one mapping for index from a security point of view. Not all indexes are required to be allowed/searched on the federated search. Only the required ones as per the use cases can be added.

View solution in original post

0 Karma

nejmeddine
Loves-to-Learn

can i use federated search between different versions splunk?

0 Karma

tej57
Contributor

Hey @nejmeddine ,

Federated search can work on different Splunk versions as far as backward compatibility meets. You can find the same on the document below:

https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Aboutfederatedsearch#Kinds_of_federated_se...

 

- Hope this helps..!! 🙂

0 Karma

tej57
Contributor

Hey @jonaclough,

For the first question, you'll have to use the username and password combination only for connecting to the remote search head. You can use a service account user created for federated search activities. 

For second question, I believe it is good to have one to one mapping for index from a security point of view. Not all indexes are required to be allowed/searched on the federated search. Only the required ones as per the use cases can be added.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...