Comparing hybrid search and Federated Search for Splunk
The following table shows you how hybrid search and transparent mode federated search match up.
| Feature | Hybrid search | Federated Search for Splunk in transparent mode |
|---|---|---|
| Environments spanned in a search | Hybrid searches can span a single Splunk Enterprise deployment and a single Splunk Cloud Platform deployment. | Transparent mode federated searches can span a single Splunk Enterprise deployment and multiple Splunk Cloud Platform deployments. |
| Splunk Cloud Platform (SCP) experience designation support | Hybrid search supports only SCP environments with the Classic Experience designation. Hybrid search does not support SCP environments with the Victoria Experience designation. | Federated search supports both Classic and Victoria Experience SCP environments. |
| Ad-hoc search | Yes | Yes |
| Scheduled search | No | Yes |
| Workload management (WLM) | No | Yes |
| Search processing language (SPL) coverage | No special syntax required. All commands allowed. | No special syntax required. All commands allowed. |
| Security (RBAC) | Hybrid search enforces all security at the Splunk Enterprise search head. | Transparent mode federated searches enforce all security at the Splunk Enterprise search head, with the exception of remote indexes, the access to which is governed by the service account user on the Splunk Cloud Platform search head. See Service accounts and federated search security. |
| Search head architecture | For hybrid search, the Splunk Cloud Platform requires a single search head. Hybrid search does not let you search Splunk Cloud Platform environments with search head cluster configurations. | Federated search works with all search management tier architecture options and combinations. |
| Version compatibility and upgrades | There are strict version dependencies for hybrid search between Splunk Enterprise and Splunk Cloud Platform environments. An upgrade on either side can break hybrid searches until you upgrade the corresponding deployment to a compatible version. | For transparent mode federated search, you need to have Splunk Enterprise 9.0 or higher and Splunk Cloud Platform 8.2.2107 or higher. There isn't a strict versioning dependency between the two platforms. Splunk Cloud Platform upgrades do not break federated searches. |
| Operability | To activate and configure hybrid search between a Splunk Enterprise environment and Splunk Cloud Platform environment, you must contact your Splunk representative. | You should be able to activate and configure federated search between a Splunk Enterprise environment and a Splunk Cloud Platform environment by following the steps outlined in this topic. |