Manage knowledge objects for standard mode federated providers

If you plan to use Federated Search for Splunk to run federated searches that invoke your knowledge objects over a standard mode federated provider, identify the knowledge objects that you want to use in your searches and make sure they are present on the required search heads:

• All knowledge objects that are used in a specific standard mode federated search must be defined on the remote deployment. This means that all knowledge objects in your search, such as calculated fields, event types, tags, and lookups must be present on the remote search head or the search will fail. For some commands, knowledge objects must also be defined on the local federated search head, especially if the knowledge object is needed on the local deployment to run the search.

• Calculated fields, and, for some types of searches, definitions for lookups, event types, and tags must also be on the local federated search head. If this duplication of knowledge objects is not present as required, searches might fail or return errors. Splunk Web displays a warning message if a knowledge object is required on the federated search head, in addition to the remote search head.

Making knowledge objects available on the remote search heads, and federated search heads, as needed, helps ensure your federated searches complete without errors and return correct results. For example, if you are running a standard mode federated search that references a calculated field, the definition for the calculated field must be present on the local and remote sides of the federated search; if the calculated field doesn't exist on the remote search head, the remote search head can't apply the calculated field to search results from the federated provider, and if the calculated field doesn't exist on the federated search head, the search fails.