Run standard mode federated searches using event types and tags
Splunk handles event types and tags differently than lookups and other knowledge objects. Definitions for event types and tags must be on the remote search head, and depending on the search requirements, these knowledge object definitions might also be required on the federated search head. To avoid errors and ensure searches complete successfully, place knowledge object definitions on both remote search heads and federated search heads, if possible.
If the event type or tag definitions aren't present on the federated search head or remote search head as needed to successfully complete a search, Splunk Web displays a warning message indicating that they are missing. For example, if your search involves a remote dataset on a federated provider and a dataset on your local Splunk platform deployment, event types and tags must be defined on both the remote search head and the federated search head. If the knowledge objects are defined only on the remote search head, the federated search head warns the user that the definition doesn't exist on the federated search head.
You can use the presence or absence of a warning message in Splunk Web to guide you to determine whether you need to add an event type or tag definition to a remote search head or a local federated search head. The following table can help you anticipate where to place event type and tag definitions.
| Location of event type or tag definition | Description |
|---|---|
| RSH only | The federated search head displays a warning message letting you know that the event type or tag definition is missing from the local federated search head. You can choose to add the definition to the federated search head or ignore the warning if the event type isn't required on the federated search head.
If the search involves only federated datasets on remote standard mode federated providers, then event types and tags only need to be defined on the remote search head; you don't need to define these knowledge objects on the local federated search head because the search is processed remotely. |
| FSH only | The federated search head displays a warning message generated by the remote search head letting you know that the event type or tag definition is missing from the remote search head. You can choose to add the definition to the remote search head on the local deployment or ignore the warning if the event type isn't required on the remote search head.
If the search doesn't involve a remote dataset on a federated provider, the search completes successfully without errors. You don't need to include the event type and tag definitions on the remote search head because the search is just processed locally on the federated search head. |
| RSH and FSH | All searches complete successfully without errors. |
(index=idx1 tag=p1) OR index=federated:id2
index=idx1 OR (index=federated:id2 tag=p1)
For more information, see About event types and About tags and aliases.
Examples of federated searches with event types and tags
In the following examples, you run searches with event type and tag definitions located on local federated search heads and remote search heads.
1. Example search on a local index
The following search with the event type or tag is processed only on a local index, so the definition must be on the local federated search head:
index=local_index eventtype=eventtype_aindex=local_index tag=tag_aThe following table shows you how the results for this search over a standard mode federated provider vary depending on where the event type or tag are defined. A warning message indicates that the event type or tag definition doesn't exist.
| Location of the event type or tag definition | Result |
|---|---|
| No definition on FSH or RSH | The search completes with a warning message from the Search app. |
| RSH only | The search completes with a warning message from the Search app. |
| FSH only | The search completes without any warning messages. |
| RSH and FSH | The search completes without any warning messages. |
2. Example search on a remote index on a federated provider
The following search applies the event type or tag to results from a remote index on the federated provider, so the definition must be on remote search head:
index=federated:remote_index eventtype=eventtype_aindex=federated:remote_index tag=tag_aThe following table shows you how the results for this search over a standard mode federated provider vary depending on where the event type or tag are defined. A warning message indicates that the event type or tag definition doesn't exist.
| Location of the event type or tag definition | Result |
|---|---|
| No definition on FSH or RSH | The search completes with a warning message from the RSH. |
| RSH only | The search completes without any warning messages. |
| FSH only | The search completes with a warning message from the RSH. |
| RSH and FSH | The search completes without any warning messages. |
3. Example search on a local index and a remote index on a federated provider
The following search applies the event type or tag to search results from an index on the local deployment, as well as a remote index on the federated provider. As a result, the definition must be on both the local federated search head and the remote search head:
index=local_index OR index=federated:remote_index eventtype=eventtype_aindex=local_index OR index=federated:remote_index tag=tag_aThe following table shows you how the results for this search over a standard mode federated provider vary depending on where the event type or tag are defined. A warning message indicates that the event type or tag definition doesn't exist.
| Location of the event type or tag definition | Result |
|---|---|
| No definition on FSH or RSH | The search completes with a warning message from the FSH and another warning from the RSH. |
| RSH only | The search completes with a warning message from the FSH. |
| FSH only | The search completes with a warning message from the RSH. |
| RSH and FSH | The search completes without any warning messages. |