Set the app context for standard mode federated providers
All Splunk searches run within the context of an app such as Search and Reporting. The app context determines the set of knowledge objects that the search head applies to the search during search processing. For example, when you run Splunk searches while you use the Search app, the app context of those searches guarantees that your search head applies Search-specific knowledge objects such as calculated fields, lookups, and field extractions to those searches.
The concept of app context is also crucial to searches that you run with Federated Search for Splunk. When you run a federated search over a remote Splunk platform deployment, you must ensure that the Splunk software applies the same app context to the local and remote portions of the search. However, when you run a federated search over a standard mode federated provider, there is no way for the provider's remote search head to detect the app context of the local search head.
Resolve this issue by identifying the app context of the standard mode federated provider when you define the provider: Set the federated provider's Application short name to the short name of the desired app. Install the app on the federated provider if it isn't currently installed there.
Later, when you run a federated search over a standard mode federated provider, make sure the provider has the same Application short name as the app context of the search. If there is an app context mismatch, your federated searches might fail or return incorrect results because they are using different sets of knowledge objects on the local and remote sides of the federated search.
For more information about federated provider setup, see Define a Splunk platform federated provider.
For help with app installation:
- If you use Splunk Cloud Platform, see Install apps on your Splunk Cloud Platform deployment in the Splunk Cloud Platform Admin Manual.
- If you use Splunk Enterprise, see Where to get more apps and add-ons in the Admin Manual.