Splunk search is not working in Splunk Cloud platf...

Pooja1 · ‎05-29-2025

Hi Team,

On May 20th, we successfully migrated from Splunk On-Prem to Splunk Cloud. We have a scheduled search that runs every 31 minutes, which was functioning correctly in the on-prem environment. However, after the migration, the same search query is no longer working in the cloud environment.

on-prem

index=proofpoint earliest=-32m@m latest=-1m@m | transaction x, qid keepevicted=true | search action=* cmd=env_from cmd=env_rcpt | addinfo | fields action country delay dest duration file_hash file_name file_size internal_message_id message_id message_info orig_dest orig_recipient orig_src process process_id protocol recipient recipient_count recipient_status reply response_time retries return_addr size src src_user status_code subject url user vendor_product xdelay xref filter_action filter_score signature signature signature_extra signature_id | fields - _raw | join type=outer internal_message_id [search index=summary sourcetype=proofpoint_stash earliest=-48m | fields internal_message_id | dedup internal_message_id | eval inSummary="T"] | search NOT inSummary="T"| collect index=summary addtime=true source=proofpoint sourcetype=proofpoint_stash

Cloud

index=proofpoint earliest=-32m@m latest=-1m@m | transaction x, qid keepevicted=true | search action=* cmd=env_from cmd=env_rcpt | addinfo | fields action country delay dest duration file_hash file_name file_size internal_message_id message_id message_info orig_dest orig_recipient orig_src process process_id protocol recipient recipient_count recipient_status reply response_time retries return_addr size src src_user status_code subject url user vendor_product xdelay xref filter_action filter_score signature signature signature_extra signature_id | fields - _raw | join type=outer internal_message_id [search index=summary sourcetype=stash earliest=-48m | fields internal_message_id | dedup internal_message_id | eval inSummary="T"] | search NOT inSummary="T"| collect index=proofpoint_summary addtime=true source=proofpoint sourcetype=stash

Thanks

Pooja1 · ‎05-29-2025

1. Yes Splunk PS was involved, and yes it was same query only summary index is changed.
2. In on-prem many fields are showing but in Cloud only 5-6 fields showing.
3. proofpoint_summary was created just to get the diff between summary index and proofpoint_summary and yes user is having access to it.
4. proofpoint_summary was created in Cloud

livehybrid · ‎05-29-2025

Hi @Pooja1

There are a few things to cover off here, I guess the first is who did the migration? Usually Splunk PS will check that all scheduled searches are running without errors and cleanly before handing over.

Regarding the search - I see there isnt much difference between them, mainly the index you're collecting in to.

How have you determined that the search *isnt* running?

Have you seen any specific errors in _internal/_audit regarding the search?

Has the proofpoint_summary index been created in Splunk Cloud?

Who is the search owned by, is this a service account/nobody/specific user?

Do you, and the search owner have access to the proofpoint_summary index?

Please let me know if you're able to provide some of the answers to this as it will help pinpoint the issue.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Splunk search is not working in Splunk Cloud platform

subsearch

table

transaction

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?