Splunk Cloud Platform

Search Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Migrate from hybrid search to federated search

Do you run hybrid searches from your Splunk Enterprise search head that combine data from your Splunk Enterprise instance with data from a Splunk Cloud Platform environment? Now you can migrate your hybrid searches to the federated search solution. Federated search expands your cross-deployment search capabilities.

Comparing hybrid search and federated search

The following table shows you how hybrid search and standard mode federated search match up.

Feature Hybrid Search Federated Search
in standard mode
Environments spanned in a search Searches can span a single Splunk Enterprise environment and a single Splunk Cloud Platform environment. Searches can span multiple Splunk Enterprise environments and multiple Splunk Cloud Platform environments.
Ad-hoc search Yes Yes
Scheduled search No Yes
Workload management (WLM) No Yes
Search processing language (SPL) coverage No special syntax required. All commands allowed. Requires special syntax.
  • Does not allow Generating commands other than search and from. You can use the from command to reference only saved search datasets.
  • Does not allow the verbose and smart search modes.
  • Does not allow metrics commands such as mpreview and mstats.
  • Cannot run searches with tstats or datamodel.
  • Does not support Real-time search.
  • When you run federated searches over standard mode federated providers, you cannot use wildcards to reference multiple federated indexes.
Security (RBAC) Hybrid search enforces all security at the Splunk Enterprise search head. Federated search enforces security on the local and remote search heads. On the remote search head, you can apply access control at the service account for the federated provider. On the local federated search head, you can apply additional, more granular access controls at the remote dataset level by setting role-based federated index filters. See Service accounts and federated search security.
Search Head architecture For hybrid search, the Splunk Cloud Platform requires a single search head. Hybrid search does not let you search Splunk Cloud Platform environments with search head cluster configurations. Federated search works with all search management tier architecture options and combinations.
Version compatibility and upgrades There are strict version dependencies for hybrid search between Splunk Enterprise and Splunk Cloud Platform environments. An upgrade on either side can break hybrid searches until you upgrade the corresponding deployment to a compatible version. You need to have Splunk Enterprise 8.2 or higher, and Splunk Cloud Platform 8.2.2104 or higher. There isn't a strict versioning dependency between the two platforms. Splunk Cloud Platform upgrades do not break federated searches.
Operability To enable and configure hybrid search between a Splunk Enterprise environment and Splunk Cloud Platform environment, you must contact your Splunk representative. To enable federated search with a remote Splunk Cloud Platform deployment, you must contact your Splunk representative to open management port 8089 on that deployment.

For an overview of federated search terminology, see About federated search.

Move to federated search

To move to federated search, you must contact Splunk Support to get your Splunk Cloud Platform deployment configured for federated search. Then you need to follow a few self-service steps. Afterwards, you can run federated searches that combine data from your local Splunk Enterprise deployment and a remote Splunk Cloud Platform deployment.

  1. Contact Splunk Support to configure the Splunk Cloud Platform Deployment for federated search.
  2. Create a service account for the Splunk Cloud Platform deployment.
  3. Create a federated provider definition for the Splunk Cloud Platform deployment.
  4. Create a separate federated index for each remote dataset you want to search on the federated provider.
  5. Write and run federated searches.

Contact Splunk Support to configure the Splunk Cloud Platform deployment for federated search

To run federated searches, Splunk Cloud Platform deployments require additional configuration from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.

Create a service account for the Splunk Cloud Platform deployment

A service account is a dedicated user account that you create on the Splunk Cloud Platform deployment over which you want to run federated searches. The service account allows the federated search head to search data on the federated provider. How you set up this service account has implications for the amount of access your users have to data in their federated searches.

For more information see Service accounts and federated search security.

Create a federated provider definition for the Splunk Cloud Platform deployment

You create a federated provider definition for your Splunk Cloud Platform deployment through the Federated Provider page. The Federated Provider page is available in Settings. These settings determine how the federated search head on your Splunk Enterprise deployment collaborates with the remote search heads on your federated provider to run a federated search.

See Define a federated provider.

An image of the Add Federated Provider dialog, filled out for a federated provider named my_splunk_cloud_platform_env_1.

When you set up a Splunk Cloud Platform environment as a federated provider, you:

Determine whether the federated provider uses standard mode or transparent mode
Your provider mode choice depends on the version of Splunk Enterprise you use in the hybrid search. If you use Splunk Enterprise 8.2.x, use standard mode. Splunk Enterprise will support transparent mode in a forthcoming release.
Help your local federated search head connect to the remote federated provider
Supply the Splunk Cloud Platform environment host name, IP address, and management port number (8089).
Provide the service account credentials
Supply the user id and password for the service account you defined previously.
Determine whether you are using local or remote knowledge objects
The Local Knowledge Objects setting determines whether the knowledge objects used in your federated searches with this provider come from the local federated search head on your Splunk Enterprise deployment or the remote search head on the Splunk Cloud Platform federated provider. Local Knowledge Objects defaults to disabled for standard mode federated providers. For transparent mode federated providers, Local Knowledge Objects defaults to enabled and can't be disabled. See Determine which knowledge objects are applied to federated searches.

Next, you set up federated index definitions for the datasets that you want to search on the Splunk Cloud Platform environment.

Create federated indexes and map them to remote datasets

This step applies only to Splunk Cloud Platform deployments that you have set up as standard mode federated providers.

Each federated index you create maps to a specific remote dataset on a federated provider. When you write a federated search, you use federated index references to search those remote datasets. Currently you can designate indexes and saved searches as remote datasets. See Create a federated index.

An image of the Create a Federated Index dialog, filled out for a federated index named web_apache_2 that maps to a remote index on the federated provider my_splunk_cloud_platform_env_1.

When you create a federated index definition, you:

Name a federated provider
Supply the name of the federated provider that contains the dataset you want the federated index to map to.
Identify a dataset
Name the dataset to which you want the federated index to map. You can set up indexes and saved searches as datasets for federated searches.

If you are not sure which datasets to use for your federated index definitions, look at the hybrid searches you commonly run. If those hybrid searches reference remote indexes on the federated provider, use those indexes in your federated index definitions.

You can manage the access that your users have to the remote datasets to which your federated indexes map. Set up role-based index filters for the federated indexes, same as you do for any other index. See Create and manage roles with Splunk Web in Securing the Splunk Platform.

Write and run federated searches

After you set up your standard mode Splunk Cloud Platform environment as a federated provider and define federated indexes that map to datasets on that federated provider, you are ready to write and run federated searches. If you have existing hybrid searches that you want to convert into federated searches, you need to convert your remote index references into federated search references.

To reference a federated index that maps to a remote index dataset, use this syntax:

search index=federated:<federated_index_for_remote_index>

You can also reference saved search datasets, in your federated searches, if you have created federated indexes that map to them. To reference a federated index that maps to a remote saved search dataset, use this syntax:

| from federated:<federated_index_for_remote_saved_search>

See Run federated searches for more information about writing federated searches and about restrictions on federated searches.

Last modified on 05 April, 2022
PREVIOUS
About federated search
  NEXT
Service accounts and federated search security

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release)


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters