Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Configure hybrid search

An on-premises Splunk Enterprise search head can connect to both a set of on-premises indexers and a Splunk Cloud Platform indexer cluster on Classic Experience. The search head can then run hybrid searches that combine on-premises data with data from Splunk Cloud Platform.

End of life for hybrid search is targeted for April 30, 2024. Customers who use hybrid search must migrate to federated search. See Migrate from hybrid search to federated search for information. After migrating to federated search, contact Splunk customer support to disable hybrid search on your Splunk Cloud Platform deployment.

To search across both on-premises and Splunk Cloud Platform data with hybrid search, you must run the search from an on-premises search head. A Splunk Cloud Platform search head can only search data on Splunk Cloud Platform.

Hybrid search limitations

The following conditions and limitations apply to hybrid search:

  • End of life for hybrid search is targeted for April 30, 2024.
  • You must run hybrid searches from an on-premises search head. You cannot run a hybrid search from a Splunk Cloud Platform search head.
  • The on-premises search head must be compatible with the target Splunk Cloud Platform version. For more information, see Supported hybrid search versions in the Splunk Cloud Platform Service Description.
  • Only ad-hoc searches are supported. Scheduled searches are not supported.
  • You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud Platform stack that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. See Splunk premium solutions in the Splunk Cloud Platform Service Description for a complete list of premium solutions.
  • You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud Platform environments.

See also Hybrid search in the Splunk Cloud Platform Service Description.

Expand your cross-deployment search options with federated search

Federated search is an improvement on hybrid search that expands your ability to search across Splunk deployments. If you are considering a move to hybrid search, consider federated search instead.

  • Federated search does not require an on-premises search head. You can configure federated search between Splunk Cloud Platform deployments.
  • Federated search can be set up between a single "local" Splunk deployment and multiple "remote" Splunk deployments.
  • Federated search supports scheduled searches.
  • Federated search supports all search management tier architecture options. This means that it allows search of Splunk Cloud Platform deployments with search head cluster configurations.
  • In most cases you can configure federated search between an on-premises deployment and a Splunk Cloud Platform deployment without contacting a Splunk Support representative.
  • After you migrate to federated search, open a support ticket to disable hybrid search in your Splunk Cloud Platform deployment.

For more information, see Migrate from hybrid search to federated search in the Splunk Cloud Platform Search Manual.

Enable hybrid search

Complete the following steps to enable hybrid search

This procedure is valid only for an on-premises standalone search head that is not part of either an on-premises indexer cluster or an on-premises search head cluster.

  1. Confirm that the on-premises search head is already configured to search across on-premises indexers. To learn how to configure a search head to connect with on-premises indexers, see Deploy a distributed search environment in the Splunk Enterprise Distributed Search manual.
  2. Confirm that the on-premises search head is compatible with the target Splunk Cloud Platform version, as stated in Hybrid search limitations. If necessary, upgrade the search head to the Splunk Cloud version.
  3. Contact your Splunk account representative to enable hybrid search for your Splunk Cloud Platform instance. Be sure to provide the public IP address(es) of the hybrid search head(s) so that access lists in the Splunk Cloud Platform environment can be created. In addition, specify that you need:
    • A 1 MB Splunk Enterprise license for the on-premises search head that you want to use for hybrid search.
    • The URI for the manager node of the Splunk Cloud Platform indexer cluster.
    • The security key for the Splunk Cloud Platform indexer cluster.

    If necessary for your deployment, your representative can help you open a case with Splunk Support to enable hybrid search using the Splunk Support portal.

  4. Install the 1 MB license on the on-premises search head. See Install a license.
  5. Add the following lines to the server.conf file on the on-premises search head.
    The example shows the required TCP port for manager_uri: 8089. 
    [general]
site = site0

[clustering]
multisite = true
manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089>
mode = searchhead
pass4SymmKey = <security key>
  6. Restart the search head.
  7. Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
    index = _* | stats count by splunk_server.

    If hybrid search is configured correctly, indexers from both your Splunk Enterprise and your Splunk Cloud Platform deployments are listed in the results.

Disable hybrid search

To disable hybrid search:

  1. Remove the following lines from the server.conf file on the on-premises search head.
    2. manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089>
pass4SymmKey = <security key>
  2. Restart the search head.
  3. Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
    index = _* | stats count by splunk_server.

    If you've correctly disabled hybrid search, the search results show indexers only from your on-premises Splunk Enterprise search head. The results should not include indexers from Splunk Cloud Platform deployments.

Splunk Customer Support will assist you in disabling hybrid search functionality configured for your Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.

Last modified on 11 October, 2023
Manage a rolling restart in Splunk Cloud Platform   Set limits for concurrent scheduled searches

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters