Splunk Cloud

Splunk Cloud Admin Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure hybrid search

You can configure an on-premises Splunk Enterprise search head to connect to both a set of on-premises indexers and a Splunk Cloud indexer cluster. The search head can then run hybrid searches that combine on-premises data with data from Splunk Cloud.

To search across both on-premises and Splunk Cloud data, you must run the search from an on-premises search head. A Splunk Cloud search head can only search data on Splunk Cloud.

Hybrid search limitations

The following conditions and limitations apply to hybrid search.

  • You must run hybrid searches from an on-premises search head. You cannot run a hybrid search from a Splunk Cloud search head.
  • The on-premises search head must run the same major.minor version as Splunk Cloud. For example, if your on-premise search head is on 7.1.2, it will work with 7.1.x versions of Splunk Cloud.
  • Only ad-hoc searches are supported. Scheduled searches are not supported.
  • You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud stack that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. See Splunk premium solutions in the Splunk Cloud Service Description for a complete list of premium solutions.
  • You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud environments.

For more information, see the hybrid search information in the Search section of the Splunk Cloud Service Description. Be sure to select the correct service description version for your Splunk Cloud deployment in the Version drop-down menu.

Enable hybrid search

This procedure is valid only for an on-premises standalone search head that is not part of either an on-premises indexer cluster or an on-premises search head cluster.

Prerequisites

  1. Confirm that the on-premises search head is already configured to search across on-premises indexers. To learn how to configure a search head to connect with on-premises indexers, see Deploy a distributed search environment in the Splunk Enterprise Distributed Search manual.
  2. Confirm that the on-premises search head is running on the same major.minor version of Splunk Enterprise as Splunk Cloud. If necessary, upgrade the search head to the Splunk Cloud version.
  3. Go to the Support portal and open a case with Splunk Support to enable hybrid search for your Splunk Cloud instance. Provide Splunk Support with the public IP address(es) of the hybrid search head(s) so that access lists in the Splunk Cloud environment can be created. In addition, specify that you need:
    • a 1 MB Splunk Enterprise license for the on-premises search head that you want to use for hybrid search
    • the URI for the master node of the Splunk Cloud indexer cluster
    • the security key for the Splunk Cloud indexer cluster

Steps

  1. Install the 1 MB license on the on-premises search head. See Install a license.
  2. Add the following lines to the server.conf file on the on-premises search head:
    [general]
    site = site0
    
    [clustering]
    multisite = true
    master_uri = <master node URI from Support>
    mode = searchhead
    pass4SymmKey = <security key from Support>
    
  3. Restart the search head.
  4. Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
    index = _* | stats count by splunk_server.

    If hybrid search is configured correctly, indexers from both your Splunk Enterprise and your Splunk Cloud deployments are listed in the results.
Last modified on 27 April, 2021
PREVIOUS
Manage a rolling restart in Splunk Cloud
  NEXT
Set limits for concurrent scheduled searches

This documentation applies to the following versions of Splunk Cloud: 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release)


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters