Migrate from hybrid search to Federated Search for Splunk
Do you run hybrid searches from your Splunk Enterprise search head that combine data from your Splunk Enterprise instance with data from a Splunk Cloud Platform environment? Now you can migrate your hybrid searches to Federated Search for Splunk. Federated Search for Splunk expands your cross-deployment search capabilities.
Comparing hybrid search and Federated Search for Splunk
The following table shows you how hybrid search and transparent mode federated search match up.
Feature | Hybrid search | Federated Search for Splunk in transparent mode |
---|---|---|
Environments spanned in a search | Hybrid searches can span a single Splunk Enterprise deployment and a single Splunk Cloud Platform deployment. | Transparent mode federated searches can span a single Splunk Enterprise deployment and multiple Splunk Cloud Platform deployments. |
Splunk Cloud Platform (SCP) experience designation support | Hybrid search supports only SCP environments with the Classic Experience designation. Hybrid search does not support SCP environments with the Victoria Experience designation. | Federated search supports both Classic and Victoria Experience SCP environments. |
Ad-hoc search | Yes | Yes |
Scheduled search | No | Yes |
Workload management (WLM) | No | Yes |
Search processing language (SPL) coverage | No special syntax required. All commands allowed. | No special syntax required. All commands allowed. |
Security (RBAC) | Hybrid search enforces all security at the Splunk Enterprise search head. | Transparent mode federated searches enforce all security at the Splunk Enterprise search head, with the exception of remote indexes, the access to which is governed by the service account user on the Splunk Cloud Platform search head. See Service accounts and federated search security. |
Search head architecture | For hybrid search, the Splunk Cloud Platform requires a single search head. Hybrid search does not let you search Splunk Cloud Platform environments with search head cluster configurations. | Federated search works with all search management tier architecture options and combinations. |
Version compatibility and upgrades | There are strict version dependencies for hybrid search between Splunk Enterprise and Splunk Cloud Platform environments. An upgrade on either side can break hybrid searches until you upgrade the corresponding deployment to a compatible version. | For transparent mode federated search, you need to have Splunk Enterprise 9.0 or higher and Splunk Cloud Platform 8.2.2107 or higher. There isn't a strict versioning dependency between the two platforms. Splunk Cloud Platform upgrades do not break federated searches. |
Operability | To activate and configure hybrid search between a Splunk Enterprise environment and Splunk Cloud Platform environment, you must contact your Splunk representative. | You should be able to activate and configure federated search between a Splunk Enterprise environment and a Splunk Cloud Platform environment by following the steps outlined in this topic. |
Transparent or standard mode?
Federated Search for Splunk offers two modes of operation: standard and transparent. These modes provide two different experiences of federated search.
Transparent mode gives hybrid search users a smooth transition to Federated Search for Splunk. Transparent mode requires the least amount of change to existing saved searches and search workflow.
For an overview of federated search terminology and a comparison of the two federated search modes, see About Federated Search for Splunk.
Move to federated search
To move to federated search, you must first contact Splunk Support to get your Splunk Cloud Platform deployment configured for federated search. Then you follow a few self-service setup steps. Afterwards, you can run federated searches that combine data from your local Splunk Enterprise deployment and a remote Splunk Cloud Platform deployment.
- Activate token authentication for the Splunk Cloud Platform deployment
- Configure the IP allow list for the Splunk Cloud Platform deployment
- Create a service account for the Splunk Cloud Platform deployment.
- Disable hybrid search on your Splunk Enterprise deployment.
- Create a federated provider definition for the Splunk Cloud Platform deployment.
- Write and run federated searches.
Activate token authentication for the Splunk Cloud Platform deployment
You must activate token authentication for your Splunk Cloud Platform deployment, if it isn't already activated. See Enable or disable token authentication in Securing Splunk Cloud Platform.
Configure the IP allow list for the Splunk Cloud Platform deployment
You must configure the IP allow list for the Splunk Cloud Platform deployment through the IP allow list page in Splunk Web. For details, see Configure IP allow lists using Splunk Web in the Splunk Cloud Platform Admin Manual.
The IP allow list use case is Search head API access.
In the IP allow list, provide the Splunk Enterprise deployment search head or search head cluster subnets using CIDR notation following this format: <ip_address>/32
.
Create a service account for the Splunk Cloud Platform deployment
A service account is a dedicated user account that you create on the remote Splunk Cloud Platform deployment over which you want to run federated searches. The service account allows users on the local Splunk Enterprise deployment to apply their own data access privileges and permissions to the searches they run over the remote deployment. The service account must have a role with the fsh_manage capability.
See Service accounts and security for Federated Search for Splunk.
Turn off hybrid search on your Splunk Enterprise and Splunk Cloud Platform deployments
Turn off hybrid search on your local Splunk Enterprise deployment before you set up federated provider definitions on that deployment. See Disable hybrid search in the Splunk Cloud Platform Admin Manual.
Turn hybrid search off on your remote Splunk Cloud Platform deployment before you define your remote deployment as a federated provider for your local Splunk Enterprise deployment.
Splunk Customer Support will assist you in turning off hybrid search functionality configured for your Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.
If you skip this step, you risk getting duplicated or incomplete search results during the period when hybrid search and transparent mode federated search are simultaneously operating on your system.
Create a federated provider definition for the Splunk Cloud Platform deployment
You create a federated provider definition for your Splunk Cloud Platform deployment through the Federated Provider page. The Federated Provider page is available in Settings. These settings determine how the federated search head on your Splunk Enterprise deployment collaborates with the remote search heads on your federated provider to run a federated search.
See Define a Splunk platform federated provider.
When you set up a Splunk Cloud Platform environment as a federated provider, you:
- Determine whether the provider uses standard mode or transparent mode
- If you are transitioning from hybrid search to federated search, use transparent mode.
- Help your local federated search head connect to the remote federated provider
- Supply the Splunk Cloud Platform environment host name and management port number (8089).
- Provide the service account credentials
- Supply the service account user id and password you defined previously.
Now you are ready to run federated searches.
Write and run federated searches
Under transparent mode you can run the same kinds of searches that you used for hybrid search, without changes to syntax.
See Run federated searches over remote Splunk platform deployments for more information about writing federated searches and about restrictions on federated searches.
About Federated Search for Splunk | Service accounts and security for Federated Search for Splunk |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!