Splunk Cloud Platform

Can Splunk Cloud search on-prem indexers using federated search?

jordanking1992
Path Finder

Hello,

In a cloud migration, can a Splunk Cloud Search Head be configured to search both its cloud data and legacy data on-prem indexers?

Ex. There's an on-prem index called 'index01' that contains historical data. There is also same index created in Splunk Cloud with 90 days of data. After switching the UF's to point to Splunk Cloud, is there a way to run a search in Splunk Cloud that searches the recent 90 days of data in the cloud + the historical on-prem data?

In this scenario, it seems like it would be Splunk Cloud - > On-Prem but this blog does not have that option.
https://www.splunk.com/en_us/blog/platform/introducing-splunk-federated-search.html

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, Federated Search works from Cloud to on-prem.  See the docs at https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Aboutfederatedsearch#Kinds_of_federated_se...

Usually, however, a migration to Splunk Cloud includes moving historical data to the cloud so Federated Search (FS) is not needed.  There are a number of caveats to FS so you should approach it carefully.

FS will not search cloud for recent data and on-prem for historical.  Instead, every search is sent to both the Cloud and on-prem indexers. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...