Splunk Cloud Platform

Federated Search

Migrate from hybrid search to Federated Search for Splunk

Do you run hybrid searches from your Splunk Enterprise search head that combine data from your Splunk Enterprise instance with data from a Splunk Cloud Platform environment? Now you can migrate your hybrid searches to Federated Search for Splunk. Federated Search for Splunk expands your cross-deployment search capabilities.

Comparing hybrid search and Federated Search for Splunk

The following table shows you how hybrid search and transparent mode federated search match up.

Feature Hybrid search Federated Search for Splunk in transparent mode
Environments spanned in a search Hybrid searches can span a single Splunk Enterprise deployment and a single Splunk Cloud Platform deployment. Transparent mode federated searches can span a single Splunk Enterprise deployment and multiple Splunk Cloud Platform deployments.
Splunk Cloud Platform (SCP) experience designation support Hybrid search supports only SCP environments with the Classic Experience designation. Hybrid search does not support SCP environments with the Victoria Experience designation. Federated search supports both Classic and Victoria Experience SCP environments.
Ad-hoc search Yes Yes
Scheduled search No Yes
Workload management (WLM) No Yes
Search processing language (SPL) coverage No special syntax required. All commands allowed. No special syntax required. All commands allowed.
Security (RBAC) Hybrid search enforces all security at the Splunk Enterprise search head. Transparent mode federated searches enforce all security at the Splunk Enterprise search head, with the exception of remote indexes, the access to which is governed by the service account user on the Splunk Cloud Platform search head. See Service accounts and federated search security.
Search head architecture For hybrid search, the Splunk Cloud Platform requires a single search head. Hybrid search does not let you search Splunk Cloud Platform environments with search head cluster configurations. Federated search works with all search management tier architecture options and combinations.
Version compatibility and upgrades There are strict version dependencies for hybrid search between Splunk Enterprise and Splunk Cloud Platform environments. An upgrade on either side can break hybrid searches until you upgrade the corresponding deployment to a compatible version. For transparent mode federated search, you need to have Splunk Enterprise 9.0 or higher and Splunk Cloud Platform 8.2.2107 or higher. There isn't a strict versioning dependency between the two platforms. Splunk Cloud Platform upgrades do not break federated searches.
Operability To activate and configure hybrid search between a Splunk Enterprise environment and Splunk Cloud Platform environment, you must contact your Splunk representative. You should be able to activate and configure federated search between a Splunk Enterprise environment and a Splunk Cloud Platform environment by following the steps outlined in this topic.

Transparent or standard mode?

Federated Search for Splunk offers two modes of operation: standard and transparent. These modes provide two different experiences of federated search.

Transparent mode gives hybrid search users a smooth transition to Federated Search for Splunk. Transparent mode requires the least amount of change to existing saved searches and search workflow.

For an overview of federated search terminology and a comparison of the two federated search modes, see About Federated Search for Splunk.

Move to federated search

To move to federated search, you must first contact Splunk Support to get your Splunk Cloud Platform deployment configured for federated search. Then you follow a few self-service setup steps. Afterwards, you can run federated searches that combine data from your local Splunk Enterprise deployment and a remote Splunk Cloud Platform deployment.

  1. Activate token authentication for the Splunk Cloud Platform deployment
  2. Configure the IP allow list for the Splunk Cloud Platform deployment
  3. Create a service account for the Splunk Cloud Platform deployment.
  4. Disable hybrid search on your Splunk Enterprise deployment.
  5. Create a federated provider definition for the Splunk Cloud Platform deployment.
  6. Write and run federated searches.

Activate token authentication for the Splunk Cloud Platform deployment

You must activate token authentication for your Splunk Cloud Platform deployment, if it isn't already activated. See Enable or disable token authentication in Securing Splunk Cloud Platform.

Configure the IP allow list for the Splunk Cloud Platform deployment

You must configure the IP allow list for the Splunk Cloud Platform deployment through the IP allow list page in Splunk Web. For details, see Configure IP allow lists using Splunk Web in the Splunk Cloud Platform Admin Manual.

The IP allow list use case is Search head API access.

In the IP allow list, provide the Splunk Enterprise deployment search head or search head cluster subnets using CIDR notation following this format: <ip_address>/32.

Create a service account for the Splunk Cloud Platform deployment

A service account is a dedicated user account that you create on the remote Splunk Cloud Platform deployment over which you want to run federated searches. The service account allows users on the local Splunk Enterprise deployment to apply their own data access privileges and permissions to the searches they run over the remote deployment. The service account must have a role with the fsh_manage capability.

See Service accounts and security for Federated Search for Splunk.

Turn off hybrid search on your Splunk Enterprise and Splunk Cloud Platform deployments

Turn off hybrid search on your local Splunk Enterprise deployment before you set up federated provider definitions on that deployment. See Disable hybrid search in the Splunk Cloud Platform Admin Manual.

Turn hybrid search off on your remote Splunk Cloud Platform deployment before you define your remote deployment as a federated provider for your local Splunk Enterprise deployment.

Splunk Customer Support will assist you in turning off hybrid search functionality configured for your Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.

If you skip this step, you risk getting duplicated or incomplete search results during the period when hybrid search and transparent mode federated search are simultaneously operating on your system.

Create a federated provider definition for the Splunk Cloud Platform deployment

You create a federated provider definition for your Splunk Cloud Platform deployment through the Federated Provider page. The Federated Provider page is available in Settings. These settings determine how the federated search head on your Splunk Enterprise deployment collaborates with the remote search heads on your federated provider to run a federated search.

See Define a Splunk platform federated provider.

An image of the Add Federated Provider dialog, filled out for a federated provider named provider001.

When you set up a Splunk Cloud Platform environment as a federated provider, you:

Determine whether the provider uses standard mode or transparent mode
If you are transitioning from hybrid search to federated search, use transparent mode.
Help your local federated search head connect to the remote federated provider
Supply the Splunk Cloud Platform environment host name and management port number (8089).
Provide the service account credentials
Supply the service account user id and password you defined previously.

Now you are ready to run federated searches.

Write and run federated searches

Under transparent mode you can run the same kinds of searches that you used for hybrid search, without changes to syntax.

See Run federated searches over remote Splunk platform deployments for more information about writing federated searches and about restrictions on federated searches.

Last modified on 30 August, 2024
About Federated Search for Splunk   Service accounts and security for Federated Search for Splunk

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters