The following conditions and limitations apply to hybrid search:

• End of life for hybrid search is targeted for October 30, 2024.
• You must run hybrid searches from an on-premises search head. You cannot run a hybrid search from a Splunk Cloud Platform search head.
• The on-premises search head must be compatible with the target Splunk Cloud Platform version. For more information, see Supported hybrid search versions in the Splunk Cloud Platform Service Description.
• Only ad-hoc searches are supported. Scheduled searches are not supported.
• You cannot install a Splunk Premium Solution on a hybrid search head. However, you can run a hybrid search against a Splunk Cloud Platform stack that includes a premium solution, as long as the hybrid search head running the hybrid search complies with all necessary conditions and limitations. See Splunk premium solutions in the Splunk Cloud Platform Service Description for a complete list of premium solutions.
• You cannot initiate searches from an on-premises Splunk Enterprise search head to multiple Splunk Cloud Platform environments.

See also Hybrid search in the Splunk Cloud Platform Service Description.

Federated search is an improvement on hybrid search that expands your ability to search across Splunk deployments. If you are considering a move to hybrid search, consider federated search instead.

• Federated search does not require an on-premises search head. You can configure federated search between Splunk Cloud Platform deployments.
• Federated search can be set up between a single "local" Splunk deployment and multiple "remote" Splunk deployments.
• Federated search supports scheduled searches.
• Federated search supports all search management tier architecture options. This means that it allows search of Splunk Cloud Platform deployments with search head cluster configurations.
• In most cases you can configure federated search between an on-premises deployment and a Splunk Cloud Platform deployment without contacting a Splunk Support representative.
• After you migrate to federated search, open a support ticket to disable hybrid search in your Splunk Cloud Platform deployment.

See Migrate from hybrid search to Federated Search for Splunk in Federated Search.

To turn off hybrid search:

1. Remove the following lines from the server.conf file on the on-premises search head.

   manager_uri = <manager node URI in the format https://c0m1.<stack name>.splunkcloud.com:8089>
   pass4SymmKey = <security key>
   

2. Restart the search head.
3. Run a search command like the following, which retrieves Splunk log events and lists the indexers that the events come from:
   index = _* | stats count by splunk_server.
   If you've correctly deactivated hybrid search, the search results show indexers only from your on-premises Splunk Enterprise search head. The results should not include indexers from Splunk Cloud Platform deployments.

Splunk Customer Support will assist you in deactivating hybrid search functionality configured for your Splunk Cloud Platform deployment. If you have a support contract, log in and file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.