topic Re: Differences between Splunk Cloud and Splunk Enterprise lispy in Splunk Search

What are the differences between Splunk Cloud and Splunk Enterprise lispy?

aprice_q — Tue, 20 Sep 2022 14:36:31 GMT

Hi,

We are using both Splunk Cloud and Splunk Enterprise. We recently came across some issues/differences in search we originally thought were due to indexed field issues but turned out to be more about some basic difference in how each environment converts a search into lispy (at least that is what we observe).

For example in Splunk Cloud 8.2.2203.4 the following search:

index=_internal some_field=some-value

Results in the following lispy:

[ AND index::_internal [ OR some_field::some-value [ AND some value ] ] ]

For our Splunk Enterprise 8.2.6 the same search results in the following lispy:

[ AND index::_internal some value ]

In our case `some_field` is an index field added on by our HEC requests. This results in very incorrect searches in enterprise and inefficient searches in cloud.

We do now realize we can just directly query for "some_field::some_value" but we would like to understand this behavior difference and if it is configurable.

Thanks

Re: Differences between Splunk Cloud and Splunk Enterprise lispy

scelikok — Tue, 20 Sep 2022 03:50:59 GMT

Hi @aprice_q,

Your on-prem instance may have a missing setting for the "some_field" indexed field. That is why lispy and results may be different. Please check if your on-prem instance has INDEXED=true for "some_field" field in your fields.conf like below;

fields.conf [some_field] INDEXED = true

Re: Differences between Splunk Cloud and Splunk Enterprise lispy

aprice_q — Tue, 20 Sep 2022 13:30:58 GMT

Thanks @scelikok

I have tried setting that but then i get a different result for the lispy. When i set it in the fields.conf this is what the lispy is:

[ AND index::_internal some_field::some_value ]

So it dropped the terms for just "some" and "value"

Something still seems different.