
Configure hybrid search
To examine data in Splunk Enterprise and Splunk Cloud in a single search, you can configure an on-premises Splunk Enterprise search head to connect to a Splunk Cloud indexer cluster. This configuration is called hybrid search.
The following conditions and limitations apply to hybrid search.
- You can initiate searches from an on-premises Splunk Enterprise search head to a Splunk Cloud deployment.
- You cannot initiate searches from a Splunk Cloud search head to an on-premises Splunk Enterprise deployment.
- The version of the on-premises Splunk Enterprise search head must be equal to or higher than the version of Splunk Cloud.
- Ad-hoc search is supported.
- Scheduled searches are not supported.
- Hybrid search is not available for use with any Splunk premium solutions such as Enterprise Security and IT Service Intelligence.
To enable hybrid search
- Go to the Support portal and open a case with Splunk Support, requesting them to enable hybrid search for your Splunk Cloud instance. Be sure to specify that you want a 1 MB Splunk Enterprise license for the on-premises search head that you want to use for hybrid search. Splunk Support sends you the license and the Master URI and security key for your Splunk Cloud deployment, which are required to configure hybrid search.
- Log into your Splunk Enterprise search head.
- In Splunk Web, select Settings > Distributed Environment > Indexer Clustering.
- Click Enable indexer Clustering.
- Select Search head node and click Next.
- Enter the Master URI and security key that you received from Splunk Support.
- Click Enable search head node.
- Open the Server Controls page and restart the search head.
- Run a search command like the following, which retrieves Splunk log events and lists the servers that the events come from:
index = _* | stats count by splunk_server
.
If hybrid search is configured correctly, results from both your Splunk Enterprise and your Splunk Cloud deployments are listed.
PREVIOUS Configure SAML single sign-on (SSO) to Splunk Cloud |
NEXT Install apps in your Splunk Cloud deployment |
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5
Comments
Note: If you see an error message: 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master.
This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your on-prem SearchHead from the bin folder:
splunk edit cluster-master https://c0m1.bootcamp-[location]-##.splunkcloud.com:8089 -site site0
You can determine the IP addresses of your indexers by running the following command:
khourihan@BLUE:~$ host inputs1.your_stack_name.splunkcloud.com
inputs1.your_stack_name.splunkcloud.com has address 18.205.52.187
inputs1.your_stack_name.splunkcloud.com has address 34.232.178.1
inputs1.your_stack_name.splunkcloud.com has address 18.205.222.50
If you have more than 7 indexers, (larger deployments) repeat this process for inputs2, inputs3 … inputs7
You should also note you need to allow traffic out from the on-prem Search Head to TCP port 8089 on the Splunk Cloud Cluster Masters the Splunk Cloud indexers.
You can determine the IP address of the clustermaster by running the following command:
khourihan@BLUE:~$ host c0m1.your_stack_name.splunkcloud.com
c0m1.your_stack_name.splunkcloud.com is an alias for c0m1-i-04ab85b1146fcbcaa.your_stack_name.splunkcloud.com.
c0m1-i-04ab85b1146fcbcaa.your_stack_name.splunkcloud.com is an alias for ec2-34-228-114-134.compute-1.amazonaws.com.
ec2-34-228-114-134.compute-1.amazonaws.com has address 34.228.114.134
I have found that some steps are missing in the Splunk document for Enabling Hybrid Search(http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/User/SearchCloudfromEnterprise).
ISSUE:
Need to add one more step after step-6 if there is multi-site enabled in the cloud environment or else it will give this error on UI "Master has multi-site enabled but the search head is missing the 'multisite' attribute for master".
Step and Reason:-
This is because some of the cloud environment is multi-site configured and on-premise Search Head is not multisite configured. So, in this case, on-premise search-head have to enable one parameter named "multisite = true" for [clustermaster:<cluster-master-DNS>:8089] stanza from the backend. And then restart the Splunk.