Thanks @richgalloway So just to confirm: "To know what results to return to the SH, the peers need to know the values of the tags, eventtypes, and macros used in the query. " Example: "index=_au...
See more...
Thanks @richgalloway So just to confirm: "To know what results to return to the SH, the peers need to know the values of the tags, eventtypes, and macros used in the query. " Example: "index=_audit eventtype=splunk_access". Since event type extraction is search-time (not index-time) indexer does not have definition for that event type. Because of this SH need to push to indexer definition for that event type: [splunk_access] search = index=_audit "action=login attempt" NOT "action=search" Once that is done, indexer will actually expand original SQL query to "index=_audit index=_audit action=login attempt NOT action=search" and will be able to execute the query correctly. The same would happen with most of the other Knowledge Objects. Including all the search time field extractions. So the summary would be: Search Head needs to push Knowledge Objects to indexer, because for indexer those are "unknown variables/names". Indexer does not have those definitions and does not know how to expand/execute SQL queries using those KOs. This is applicable only to search-time operations/objects defined on SH (index-time related configurations like TRANSFORMS should be already on the indexer). Could you please confirm @richgalloway all of this is correct ? Thanks !