Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure hybrid search

You can configure an on-premises Splunk Enterprise search head to connect to both a set of on-premises indexers and a Splunk Cloud Platform indexer cluster. The search head can then run hybrid searches that combine on-premises data with data from Splunk Cloud Platform.

To search across both on-premises and Splunk Cloud Platform data, you must run the search from an on-premises search head. A Splunk Cloud Platform search head can only search data on Splunk Cloud Platform.

Hybrid search limitations

The following conditions and limitations apply to hybrid search:

  • You must run hybrid searches from an on-premises search head. You cannot run a hybrid search from a Splunk Cloud Platform search head.
  • The on-premises search head must be compatible with the target Splunk Cloud Platform version. For more information, see Supported hybrid search versions in the Splunk Cloud Platform Service Description.
  • Only ad-hoc searches are supported. Scheduled searches are not supported.
  • You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud Platform stack that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. See Splunk premium solutions in the Splunk Cloud Platform Service Description for a complete list of premium solutions.
  • You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud Platform environments.

See also Hybrid search in the Splunk Cloud Platform Service Description.

Enable hybrid search

Complete the following steps to enable hybrid search

This procedure is valid only for an on-premises standalone search head that is not part of either an on-premises indexer cluster or an on-premises search head cluster.

  1. Confirm that the on-premises search head is already configured to search across on-premises indexers. To learn how to configure a search head to connect with on-premises indexers, see Deploy a distributed search environment in the Splunk Enterprise Distributed Search manual.
  2. Confirm that the on-premises search head is compatible with the target Splunk Cloud Platform version, as stated in Hybrid search limitations. If necessary, upgrade the search head to the Splunk Cloud version.
  3. Contact your Splunk account representative to enable hybrid search for your Splunk Cloud Platform instance. Be sure to provide the public IP address(es) of the hybrid search head(s) so that access lists in the Splunk Cloud Platform environment can be created. In addition, specify that you need:
    • A 1 MB Splunk Enterprise license for the on-premises search head that you want to use for hybrid search.
    • The URI for the manager node of the Splunk Cloud Platform indexer cluster.
    • The security key for the Splunk Cloud Platform indexer cluster.

    If necessary for your deployment, your representative can help you open a case with Splunk Support to enable hybrid search using the Splunk Support portal.

  4. Install the 1 MB license on the on-premises search head. See Install a license.
  5. Add the following lines to the server.conf file on the on-premises search head.
    The example shows the required TCP port for manager_uri: 8089. 
    [general]
site = site0

[clustering]
multisite = true
manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089>
mode = searchhead
pass4SymmKey = <security key>
  6. Restart the search head.
  7. Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
    index = _* | stats count by splunk_server.

    If hybrid search is configured correctly, indexers from both your Splunk Enterprise and your Splunk Cloud Platform deployments are listed in the results.

Disable hybrid search

To disable hybrid search:

  1. Remove the following lines from the server.conf file on the on-premises search head.
    2. manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089>
pass4SymmKey = <security key>
  2. Restart the search head.
  3. Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
    index = _* | stats count by splunk_server.

    If you've correctly disabled hybrid search, the search results show indexers only from your on-premises Splunk Enterprise search head. The results should not include indexers from Splunk Cloud Platform deployments.

Splunk Customer Support will assist you in disabling hybrid search functionality configured for your Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.

Last modified on 17 June, 2022
PREVIOUS
Manage a rolling restart in Splunk Cloud Platform 		  NEXT
Set limits for concurrent scheduled searches

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters