Migrate from hybrid search to federated search
Do you run hybrid searches from your Splunk Enterprise search head that combine data from your Splunk Enterprise instance with data from a Splunk Cloud Platform environment? Now you can migrate your hybrid searches to the federated search solution. Federated search expands your cross-deployment search capabilities.
Comparing hybrid search and federated search
The following table shows you how hybrid search and standard mode federated search match up.
|Feature||Hybrid Search||Federated Search|
in standard mode
|Environments spanned in a search||Searches can span a single Splunk Enterprise environment and a single Splunk Cloud Platform environment.||Searches can span multiple Splunk Enterprise environments and multiple Splunk Cloud Platform environments.|
|Workload management (WLM)||No||Yes|
|Search processing language (SPL) coverage||No special syntax required. All commands allowed.||Requires special syntax.
|Security (RBAC)||Hybrid search enforces all security at the Splunk Enterprise search head.||Federated search enforces security on the local and remote search heads. On the remote search head, you can apply access control at the service account for the federated provider. On the local federated search head, you can apply additional, more granular access controls at the remote dataset level by setting role-based federated index filters. See Service accounts and federated search security.|
|Search Head architecture||For hybrid search, the Splunk Cloud Platform requires a single search head. Hybrid search does not let you search Splunk Cloud Platform environments with search head cluster configurations.||Federated search works with all search management tier architecture options and combinations.|
|Version compatibility and upgrades||There are strict version dependencies for hybrid search between Splunk Enterprise and Splunk Cloud Platform environments. An upgrade on either side can break hybrid searches until you upgrade the corresponding deployment to a compatible version.||You need to have Splunk Enterprise 8.2 or higher, and Splunk Cloud Platform 8.2.2104 or higher. There isn't a strict versioning dependency between the two platforms. Splunk Cloud Platform upgrades do not break federated searches.|
|Operability||To enable and configure hybrid search between a Splunk Enterprise environment and Splunk Cloud Platform environment, you must contact your Splunk representative.||To enable federated search with a remote Splunk Cloud Platform deployment, you must contact your Splunk representative to open management port 8089 on that deployment.|
For an overview of federated search terminology, see About federated search.
Move to federated search
To move to federated search, you must contact Splunk Support to get your Splunk Cloud Platform deployment configured for federated search. Then you need to follow a few self-service steps. Afterwards, you can run federated searches that combine data from your local Splunk Enterprise deployment and a remote Splunk Cloud Platform deployment.
- Contact Splunk Support to configure the Splunk Cloud Platform Deployment for federated search.
- Create a service account for the Splunk Cloud Platform deployment.
- Create a federated provider definition for the Splunk Cloud Platform deployment.
- Create a separate federated index for each remote dataset you want to search on the federated provider.
- Write and run federated searches.
Contact Splunk Support to configure the Splunk Cloud Platform deployment for federated search
To run federated searches, Splunk Cloud Platform deployments require additional configuration from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Create a service account for the Splunk Cloud Platform deployment
A service account is a dedicated user account that you create on the Splunk Cloud Platform deployment over which you want to run federated searches. The service account allows the federated search head to search data on the federated provider. How you set up this service account has implications for the amount of access your users have to data in their federated searches.
For more information see Service accounts and federated search security.
Create a federated provider definition for the Splunk Cloud Platform deployment
You create a federated provider definition for your Splunk Cloud Platform deployment through the Federated Provider page. The Federated Provider page is available in Settings. These settings determine how the federated search head on your Splunk Enterprise deployment collaborates with the remote search heads on your federated provider to run a federated search.
When you set up a Splunk Cloud Platform environment as a federated provider, you:
- Determine whether the federated provider uses standard mode or transparent mode
- Your provider mode choice depends on the version of Splunk Enterprise you use in the hybrid search. If you use Splunk Enterprise 8.2.x, use standard mode. Splunk Enterprise will support transparent mode in a forthcoming release.
- Help your local federated search head connect to the remote federated provider
- Supply the Splunk Cloud Platform environment host name, IP address, and management port number (8089).
- Provide the service account credentials
- Supply the user id and password for the service account you defined previously.
- Determine whether you are using local or remote knowledge objects
- The Local Knowledge Objects setting determines whether the knowledge objects used in your federated searches with this provider come from the local federated search head on your Splunk Enterprise deployment or the remote search head on the Splunk Cloud Platform federated provider. Local Knowledge Objects defaults to disabled for standard mode federated providers. For transparent mode federated providers, Local Knowledge Objects defaults to enabled and can't be disabled. See Determine which knowledge objects are applied to federated searches.
Next, you set up federated index definitions for the datasets that you want to search on the Splunk Cloud Platform environment.
Create federated indexes and map them to remote datasets
This step applies only to Splunk Cloud Platform deployments that you have set up as standard mode federated providers.
Each federated index you create maps to a specific remote dataset on a federated provider. When you write a federated search, you use federated index references to search those remote datasets. Currently you can designate indexes and saved searches as remote datasets. See Create a federated index.
When you create a federated index definition, you:
- Name a federated provider
- Supply the name of the federated provider that contains the dataset you want the federated index to map to.
- Identify a dataset
- Name the dataset to which you want the federated index to map. You can set up indexes and saved searches as datasets for federated searches.
If you are not sure which datasets to use for your federated index definitions, look at the hybrid searches you commonly run. If those hybrid searches reference remote indexes on the federated provider, use those indexes in your federated index definitions.
You can manage the access that your users have to the remote datasets to which your federated indexes map. Set up role-based index filters for the federated indexes, same as you do for any other index. See Create and manage roles with Splunk Web in Securing the Splunk Platform.
Write and run federated searches
After you set up your standard mode Splunk Cloud Platform environment as a federated provider and define federated indexes that map to datasets on that federated provider, you are ready to write and run federated searches. If you have existing hybrid searches that you want to convert into federated searches, you need to convert your remote index references into federated search references.
To reference a federated index that maps to a remote index dataset, use this syntax:
You can also reference saved search datasets, in your federated searches, if you have created federated indexes that map to them. To reference a federated index that maps to a remote saved search dataset, use this syntax:
| from federated:<federated_index_for_remote_saved_search>
See Run federated searches for more information about writing federated searches and about restrictions on federated searches.
About federated search
Service accounts and federated search security
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release)