
Configure hybrid search
You can configure an on-premises Splunk Enterprise search head to connect to both a set of on-premises indexers and a Splunk Cloud Platform indexer cluster. The search head can then run hybrid searches that combine on-premises data with data from Splunk Cloud Platform.
To search across both on-premises and Splunk Cloud Platform data, you must run the search from an on-premises search head. A Splunk Cloud Platform search head can only search data on Splunk Cloud Platform.
Hybrid search limitations
The following conditions and limitations apply to hybrid search:
- You must run hybrid searches from an on-premises search head. You cannot run a hybrid search from a Splunk Cloud Platform search head.
- The on-premises search head must be compatible with the target Splunk Cloud Platform version. For more information, see Supported hybrid search versions in the Splunk Cloud Platform Service Description.
- Only ad-hoc searches are supported. Scheduled searches are not supported.
- You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud Platform stack that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. See Splunk premium solutions in the Splunk Cloud Platform Service Description for a complete list of premium solutions.
- You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud Platform environments.
See also Hybrid search in the Splunk Cloud Platform Service Description.
Enable hybrid search
Complete the following steps to enable hybrid search
This procedure is valid only for an on-premises standalone search head that is not part of either an on-premises indexer cluster or an on-premises search head cluster.
- Confirm that the on-premises search head is already configured to search across on-premises indexers. To learn how to configure a search head to connect with on-premises indexers, see Deploy a distributed search environment in the Splunk Enterprise Distributed Search manual.
- Confirm that the on-premises search head is compatible with the target Splunk Cloud Platform version, as stated in Hybrid search limitations. If necessary, upgrade the search head to the Splunk Cloud version.
-
Contact your Splunk account representative to enable hybrid search for your Splunk Cloud Platform instance. Be sure to provide the public IP address(es) of the hybrid search head(s) so that access lists in the Splunk Cloud Platform environment can be created. In addition, specify that you need:
- A 1 MB Splunk Enterprise license for the on-premises search head that you want to use for hybrid search.
- The URI for the manager node of the Splunk Cloud Platform indexer cluster.
- The security key for the Splunk Cloud Platform indexer cluster.
If necessary for your deployment, your representative can help you open a case with Splunk Support to enable hybrid search using the Splunk Support portal.
- Install the 1 MB license on the on-premises search head. See Install a license.
-
Add the following lines to the
server.conf
file on the on-premises search head.
The example shows the required TCP port formanager_uri
: 8089.[general] site = site0 [clustering] multisite = true manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089> mode = searchhead pass4SymmKey = <security key>
- Restart the search head.
-
Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
index = _* | stats count by splunk_server
.
If hybrid search is configured correctly, indexers from both your Splunk Enterprise and your Splunk Cloud Platform deployments are listed in the results.
Disable hybrid search
To disable hybrid search:
- Remove the following lines from the
server.conf
file on the on-premises search head. - Restart the search head.
- Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
index = _* | stats count by splunk_server
.
If you've correctly disabled hybrid search, the search results show indexers only from your on-premises Splunk Enterprise search head. The results should not include indexers from Splunk Cloud Platform deployments.
manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089> pass4SymmKey = <security key>
Splunk Customer Support will assist you in disabling hybrid search functionality configured for your Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.
PREVIOUS Manage a rolling restart in Splunk Cloud Platform |
NEXT Set limits for concurrent scheduled searches |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303
Feedback submitted, thanks!