Administer knowledge object definitions for standard mode federated providers
Administrators with permissions to manage knowledge objects should have a plan for making knowledge object definitions available on remote and federated search heads, as needed, for the types of searches their users will run. Keep the following considerations in mind:
- The knowledge objects from the remote deployment should be accessible to the federated provider service account defined on the remote search head.
- Decide which knowledge objects should be available for your users and which should be restricted.
- Make sure knowledge objects are defined on the remote and federated search heads that users need to access. This is especially important if your users don't have permission to add definitions to search heads themselves.
- Test your knowledge object definitions before deploying them to production to make sure that they work as expected in typical searches your users will run.
- If users must have access to knowledge object definitions on remote and federated search heads, give them a list of available knowledge objects and their corresponding remote provider locations.
Duplicate knowledge object names and definitions
When you prepare to run federated searches with knowledge objects over standard mode federated providers, you can arrange for your searches to run without knowledge object errors by ensuring that there are knowledge objects with the same names and definitions on the local and remote sides of the search. Improve the likelihood of getting correct results from a standard mode federated search that involves knowledge objects by duplicating the names and definitions of those knowledge objects and related files (such as CSV files, for CSV file lookups) on the local federated and remote search heads.
Ensure custom knowledge objects exist on remote and federated search heads
After you identify the custom knowledge objects that your users can use in their federated searches, make sure those knowledge objects are present on the remote search head on the federated provider and the federated search head, as needed. In most cases the easiest way to do this is through Splunk Web.
Prerequisites
- Knowledge object verification requires admin access to the corresponding local and remote search heads where the knowledge objects are defined. If you do not have admin access to a Splunk platform deployment where you must duplicate knowledge objects, coordinate this work with the administrator of that deployment.
- Learn about federated provider service accounts. See Service accounts and security for Federated Search for Splunk.
Steps
- Identify a knowledge object that you want to use in your federated searches.
- Verify that the knowledge object exists with identical definitions on the local and remote deployments involved in the search by looking it up in Settings on each deployment. See Help with knowledge objects.
- If the knowledge object does not exist on a deployment involved in the search, duplicate its definition on the deployment.
- Ensure that the remote instance of the knowledge object has its permissions set so that the federated provider service account can access it. See Manage knowledge object permissions in the Knowledge Manager Manual.
- If the knowledge object is a lookup, duplicate the lookup file or collection and upload or install it in the federated provider.
Repeat this process for each knowledge object you intend to use in your federated searches.