Help with knowledge objects
The following table lists knowledge object definitions, files, and collections that might need to be duplicated on your federated and remote search heads if you want to use them in federated searches. You can verify the existence of a knowledge object by looking it up in Settings for your local deployment and the remote deployments involved in the federated search.
All links go to topics in the Knowledge Manager Manual unless otherwise indicated.
| Type of knowledge object | Items that might need to be duplicated among the federated and remote search heads | For more information |
|---|---|---|
| Custom search-time field extraction | Field extraction configurations | About fields |
| Calculated field | Calculated field definition | About calculated fields |
| Field alias | Field alias definition | Create field aliases in Splunk Web |
| CSV file lookup |
|
Define a CSV lookup in Splunk Web |
| External lookup |
|
Create external lookups for apps in Splunk Cloud Platform or Splunk Enterprise in the Developer Guide on the Developer Portal |
| KV Store lookup |
|
Define a KV store lookup in Splunk Web |
| Geospatial lookup |
|
Define a geospatial lookup in Splunk Web |
| Event type | Event type definition | About event types |
| Search macro | Search macro definition | Define search macros in Settings |
| Tag | Tag definition | Define and manage tags in Settings |