Migrate from hybrid search to federated search
Do you run hybrid searches from your Splunk Enterprise search head that combine data from your Splunk Enterprise instance with data from a Splunk Cloud Platform environment? If so, you should migrate your hybrid searches to the federated search solution. Federated search has several advantages over hybrid search. A move to federated search will expand what you can do with cross-deployment searches.
Comparing hybrid search and federated search
The following table shows you how hybrid search and transparent mode federated search match up.
|Feature||Hybrid search||Federated search in transparent mode|
|Environments spanned in a search||Searches can span a single Splunk Enterprise deployment and a single Splunk Cloud Platform deployment.||Searches can span multiple Splunk Enterprise deployment and multiple Splunk Cloud Platform deployments.|
|Scheduled search||Not supported||Supported|
|Workload management (WLM)||Not supported||Supported|
|SPL support||No special syntax required. All commands supported.||No special syntax required. All commands supported.|
|Security (RBAC)||All security is enforced at the Splunk Enterprise search head||Transparent mode federated searches follow the role-based access control settings of the Splunk Enterprise search head. However, you can limit the roles available for federated searches by applying only the roles you want to allow to the service account for the remote Splunk Cloud Platform deployment.|
|Search Head architecture||For hybrid search, the Splunk Cloud Platform requires a single search head. Hybrid search does not support Splunk Cloud Platform environments with search head cluster configurations.||Federated search supports all search management tier architecture options and combinations.|
|Version compatibility and upgrades||There are strict version dependencies for hybrid search between Splunk Enterprise and Splunk Cloud Platform environments. An upgrade on either side can break hybrid searches until the corresponding deployment is upgraded to a compatible version.||For transparent mode federated search, you need to have Splunk Enterprise 8.3 or later and Splunk Cloud Platform 8.2.2107 or later. There isn't a strict versioning dependency between the two platforms. Splunk Cloud Platform upgrades won't break federated searches.|
|Operability||To enable and configure hybrid search between a Splunk Enterprise environment and Splunk Cloud Platform environment, you must contact your Splunk representative.||To enable federated search with a remote Splunk Cloud Platform deployment, you must contact your Splunk representative to open management port 8089 on that deployment.|
Transparent or standard mode?
Federated search offers two modes of operation: standard and transparent. These modes provide two different experiences of federated search.
Transparent mode is the recommended mode for hybrid search users who want a smooth transition to federated search, as it will require the least amount of change to your saved searches and search workflow. However, the ability to choose transparent mode is disabled by default.
For an overview of federated search terminology, a comparison of the two federated search modes, and instructions for enabling transparent mode on your local Splunk Enterprise deployment, see About federated search.
Move to federated search
The move to federated search requires that you follow a few self-service steps. Afterwards, you can run federated searches that combine data from your local Splunk Enterprise deployment and a remote Splunk Cloud Platform deployment.
- Create a service user account on the Splunk Cloud Platform deployment.
- Designate the Splunk Cloud Platform environment as a federated provider.
Create a service account for your remote Splunk Cloud Platform deployment
A service account is a dedicated user account that you create on the Splunk Cloud Platform deployment over which you want to run federated searches. The service account allows the federated search head to search data on the federated provider. How you set up this service account has implications for the amount of access your users have to data in their federated searches.
For more information see Service accounts and federated search security.
Create a federated provider definition for your Splunk Cloud Platform deployment
You create a federated provider definition for your Splunk Cloud Platform deployment through the Federated Provider page. The Federated Provider page is available in Settings. These settings determine how the federated search head on your Splunk Enterprise deployment collaborates with the remote search heads on your federated provider to run a federated search.
When you set up a Splunk Cloud Platform environment as a federated provider, you:
- Determine whether the provider uses standard mode or transparent mode
- Transparent mode is the recommended mode for former hybrid search users.
- Help your local federated search head connect to the remote federated provider
- Supply the Splunk Cloud Platform environment host name and management port number (8089).
- Provide the service account credentials
- Supply the service account user id and password you defined previously.
- Determine whether you are using local or remote knowledge objects
- A pair of settings let you determine whether the knowledge objects used in your federated searches with a given provider come from the local federated search head on your Splunk Enterprise deployment or the remote search head on the federated provider.
At this point you are ready to run federated searches.
Write and run federated searches
Under transparent mode you should be able to run the same kinds of searches that you used for hybrid search, without changes to syntax. The only differences that you may run into: you cannot search data model or saved search datasets on a transparent mode federated provider.
See Run federated searches for more information about writing federated searches and about restrictions on federated searches.
About federated search
Service accounts and federated search security
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109