Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Download topic as PDF

Configure hybrid search

To examine data in Splunk Enterprise and Splunk Cloud in a single search, you can configure an on-premises Splunk Enterprise search head to connect to a Splunk Cloud indexer cluster. This configuration is called hybrid search.

The following conditions and limitations apply to hybrid search.

  • You can initiate searches from an on-premises Splunk Enterprise search head to a Splunk Cloud deployment.
  • You cannot initiate searches from a Splunk Cloud search head to an on-premises Splunk Enterprise deployment.
  • The version of the on-premises Splunk Enterprise search head must be equal to or higher than the version of Splunk Cloud.
  • Ad-hoc search is supported.
  • Scheduled searches are not supported.
  • Hybrid search is not available for use with any Splunk premium solutions such as Enterprise Security and IT Service Intelligence.

The graphic shows the workflow between Enterprise and Cloud when executing a hybrid search.

To enable hybrid search

  1. Go to the Support portal and open a case with Splunk Support, requesting them to enable hybrid search for your Splunk Cloud instance. Be sure to specify that you want a 1 MB Splunk Enterprise license for the on-premises search head that you want to use for hybrid search. Splunk Support sends you the license and the Master URI and security key for your Splunk Cloud deployment, which are required to configure hybrid search.
  2. Log into your Splunk Enterprise search head.
  3. In Splunk Web, select Settings > Distributed Environment > Indexer Clustering.
  4. Click Enable indexer Clustering.
  5. Select Search head node and click Next.
  6. Enter the Master URI and security key that you received from Splunk Support.
  7. Click Enable search head node.
  8. Open the Server Controls page and restart the search head.
  9. Run a search command like the following, which retrieves Splunk log events and lists the servers that the events come from:
    index = _* | stats count by splunk_server.

If hybrid search is configured correctly, results from both your Splunk Enterprise and your Splunk Cloud deployments are listed.

PREVIOUS
Configure SAML single sign-on (SSO) to Splunk Cloud
  NEXT
Install apps in your Splunk Cloud deployment

This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5


Comments

I have found that some steps are missing in the Splunk document for Enabling Hybrid Search(http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/User/SearchCloudfromEnterprise).

ISSUE:
Need to add one more step after step-6 if there is multi-site enabled in the cloud environment or else it will give this error on UI "Master has multi-site enabled but the search head is missing the 'multisite' attribute for master".

Step and Reason:-
This is because some of the cloud environment is multi-site configured and on-premise Search Head is not multisite configured. So, in this case, on-premise search-head have to enable one parameter named "multisite = true" for [clustermaster:<cluster-master-DNS>:8089] stanza from the backend. And then restart the Splunk.

Garvitpatel
June 18, 2018

Note: If you see an error message: 'Master has multisite enabled but the search head is missing the 'multisite' attribute' for master.
This is because Splunk Cloud has multi-site enabled.
To fix that you should run this command on the SH on your on-prem SearchHead from the bin folder:

splunk edit cluster-master https://c0m1.bootcamp-[location]-##.splunkcloud.com:8089 -site site0

Khourihan splunk, Splunker
May 30, 2018

You can determine the IP addresses of your indexers by running the following command:

khourihan@BLUE:~$ host inputs1.your_stack_name.splunkcloud.com
inputs1.your_stack_name.splunkcloud.com has address 18.205.52.187
inputs1.your_stack_name.splunkcloud.com has address 34.232.178.1
inputs1.your_stack_name.splunkcloud.com has address 18.205.222.50
If you have more than 7 indexers, (larger deployments) repeat this process for inputs2, inputs3 … inputs7

Khourihan splunk, Splunker
May 30, 2018

You should also note you need to allow traffic out from the on-prem Search Head to TCP port 8089 on the Splunk Cloud Cluster Masters the Splunk Cloud indexers.

You can determine the IP address of the clustermaster by running the following command:
khourihan@BLUE:~$ host c0m1.your_stack_name.splunkcloud.com
c0m1.your_stack_name.splunkcloud.com is an alias for c0m1-i-04ab85b1146fcbcaa.your_stack_name.splunkcloud.com.
c0m1-i-04ab85b1146fcbcaa.your_stack_name.splunkcloud.com is an alias for ec2-34-228-114-134.compute-1.amazonaws.com.
ec2-34-228-114-134.compute-1.amazonaws.com has address 34.228.114.134

Khourihan splunk, Splunker
May 30, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters