Determine which knowledge objects are applied to federated searches
When you set up a standard mode federated provider, you must consider where federated searches that are run on that provider will get their knowledge objects. You do this on the Add Federated Provider page in Splunk Web by setting the Application Short Name setting for the provider and by using the Local Knowledge Objects setting to determine whether the provider uses local or remote knowledge objects.
This topic explains the significance of these settings.
To learn how to set these settings when you define a federated provider, see Define a federated provider.
How knowledge object application works for single-deployment searches
When you run a normal search on a single Splunk platform deployment, the search process automatically applies sets of knowledge objects such as field extractions, lookups, tags, and event types to searches.
When you run an ordinary search over data in a single Splunk platform deployment, you do not need to think much about the knowledge object sets your search head applies to your searches. This is because the search head on your Splunk platform deployment uses your application context to determine which knowledge objects to apply. Your application context is defined by the app you are using when you run the search.
For example, if you run a search while you are using the Search app, your search head applies the knowledge objects that belong to the Search app to your search. If you switch to the Enterprise Security app and run another search, your search head applies the knowledge objects that belong to the Enterprise Security app to that search.
Why federated search is different
When you set up standard mode federated providers, you must consider the knowledge objects that will be used in your searches. The following table lists two situations with knowledge objects in federated searches, explains those situations, and names the settings that address those situations.
|Federated search involves multiple search heads across multiple Splunk platform deployments||Each Splunk platform deployment has its own set of knowledge objects. If you will use knowledge objects from the federated search head and one or more remote search heads in a single federated search, verify that the search heads won't apply knowledge objects with the same type and name but different definitions to the search, as this might produce inconsistent search results.||On the Add Federated Provider page in Splunk Web, enable the Local Knowledge Objects setting for the federated provider. When enabled, this setting ensures that federated searches on the federated provider use only knowledge objects from the local federated search head.|
|Remote search heads cannot detect application context of local federated search head||When parts of your federated search take place on the remote search heads of federated providers, and you are not using local knowledge objects, the remote search heads must have an application context for the search. The application context helps them apply the correct set of knowledge objects to their portion of the search.
Setting an application short name also helps with workload management limit provision and with logging and auditing.
See Set the application context for your federated provider.
|On the Add Federated Provider page in Splunk Web, set the Application Short Name setting for the federated provider to the short name of an app.
Application Short Name defaults to the Search app.
When the remote Splunk deployment uses search head clustering
If possible, disable the Local Knowledge Objects setting for federated providers on remote Splunk deployments that use search head clustering. This is especially important if you have set up the load balancer as the federated provider for the search head cluster. As load balancers manage data traffic for their clusters, they can drop knowledge object bundles on different cluster nodes from the cluster nodes on which they run federated searches. This can cause your federated searches to fail.
If your remote deployment uses search head clustering and you must use local knowledge objects for your federated searches, set up each of the search heads in the search head cluster as federated providers, and enable Local Knowledge Objects for each provider.
Set the application context for your federated provider
The Application Short Name setting provides an application context for the searches you run against remote datasets on the federated provider. This setting defaults to the Search and Reporting app.
How you set Application Short Name for a federated provider depends on whether Local Knowledge Objects is enabled or disabled for that provider.
|Local Knowledge Objects setting||How to set Application Short Name|
|Disabled||Provide the short name of an app that exists on the remote search head of the federated provider.|
|Enabled||Provide the short name of an app that exists on both the remote search head of the federated provider and the federated search head of your local Splunk platform deployment.|
Setting an application context for a federated provider serves three purposes.
|Knowledge object scoping||Provision of an application context ensures that federated searches that use the federated provider are limited to the knowledge objects that are associated with the named application.|
|Provision of workload management limits||The application context allows administrators of the federated provider to set app-based workload management limits on your federated searches.|
|Logging and auditing||The application context simplifies logging and auditing of the federated provider.|
Finding installed apps and their application short names
To find what applications are installed on a specific Splunk platform deployment, in Splunk Web on that deployment, select Apps > Manage Apps. This takes you to the Apps listing page, where the short names of the installed apps are provided in the Folder name column.
Creating standard mode federated providers that have the same host name but different app contexts
If a standard mode federated provider has the Search app as its application context, federated searches you run with it can use or reference only the tags, aliases, search-time field extractions, and other knowledge objects that are associated with the Search app. If you run a federated search that references an alias or calculated field that is associated with another application, such as Splunk Enterprise Security or Splunk IT Service Intelligence, it will fail on the federated provider because it can't find those knowledge objects in the Search app.
Remedy this problem by creating multiple standard mode federated provider definitions that use the same host and port but which have different application contexts. You can do this as long as each federated provider configuration has a unique name. For example, you can use the following three federated provider configurations concurrently even though they all search data on the same remote host:
|Federated provider name||Remote host||Application short name|
You can set up multiple standard mode providers with the same host and port as long as they have different names. Local Knowledge Objects is enabled for two or more federated providers with the same host name and port, the knowledge objects are only replicated once, meaning you will not end up with multiple bundle replications of knowledge object sets for a single host name and port.
Service accounts and federated search security
Define a federated provider
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2107