Deployment Architecture

What certificates are used for hybrid search communication between an on-premise search head and Splunk Cloud clustered indexers and master node?


Per the Splunk Cloud documentation, it is possible to have a Hybrid Search model where an on-premise Search Head essentially connects to the Master Node in the Cloud, which then allows the Cloud Indexers to be searched from the on-premise Search Head. In order to facilitate this, it seems that the URI of the Master Node would be required and also the Cloud Indexer clustering configuration key. However, how does this work on the internal certificate side for communication?

I am assuming the SH would communicate with the MN over port 8089. Are certificates provided to facilitate this communication or is only the Splunk default certificate being used?

0 Karma

Splunk Employee
Splunk Employee

Communication is secured using the pass4symmkey. (Shared Secret). You should file a ticket asking asking for Hybrid search to be setup, then support will send your the URI to your c0m1 (clustermaster) and a secret key.

Note: Hybrid search must be requested as its not setup by default. Also, you should provide a whitelist of IPs for your on-prem searchheads.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...