Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search is not working in Splunk Cloud platform

Pooja1
Loves-to-Learn Everything
‎05-29-2025 04:20 AM

Hi Team,

On May 20th, we successfully migrated from Splunk On-Prem to Splunk Cloud. We have a scheduled search that runs every 31 minutes, which was functioning correctly in the on-prem environment. However, after the migration, the same search query is no longer working in the cloud environment.

on-prem

index=proofpoint earliest=-32m@m latest=-1m@m | transaction x, qid keepevicted=true | search action=* cmd=env_from cmd=env_rcpt | addinfo | fields action country delay dest duration file_hash file_name file_size internal_message_id message_id message_info orig_dest orig_recipient orig_src process process_id protocol recipient recipient_count recipient_status reply response_time retries return_addr size src src_user status_code subject url user vendor_product xdelay xref filter_action filter_score signature signature signature_extra signature_id | fields - _raw | join type=outer internal_message_id [search index=summary sourcetype=proofpoint_stash earliest=-48m | fields internal_message_id | dedup internal_message_id | eval inSummary="T"] | search NOT inSummary="T"| collect index=summary addtime=true source=proofpoint sourcetype=proofpoint_stash

Cloud

index=proofpoint earliest=-32m@m latest=-1m@m | transaction x, qid keepevicted=true | search action=* cmd=env_from cmd=env_rcpt | addinfo | fields action country delay dest duration file_hash file_name file_size internal_message_id message_id message_info orig_dest orig_recipient orig_src process process_id protocol recipient recipient_count recipient_status reply response_time retries return_addr size src src_user status_code subject url user vendor_product xdelay xref filter_action filter_score signature signature signature_extra signature_id | fields - _raw | join type=outer internal_message_id [search index=summary sourcetype=stash earliest=-48m | fields internal_message_id | dedup internal_message_id | eval inSummary="T"] | search NOT inSummary="T"| collect index=proofpoint_summary addtime=true source=proofpoint sourcetype=stash


Thanks

Labels (3)
Labels
0 Karma
Reply

Pooja1
Loves-to-Learn Everything
‎05-29-2025 06:10 AM

1. Yes Splunk PS was involved, and yes it was same query only summary index is changed. 
2. In on-prem many fields are showing but in Cloud only 5-6 fields showing.
3.  proofpoint_summary was created just to get the diff between summary index and proofpoint_summary and yes user is having access to it. 
4. proofpoint_summary was created in Cloud

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-29-2025 04:39 AM

Hi @Pooja1 

There are a few things to cover off here, I guess the first is who did the migration? Usually Splunk PS will check that all scheduled searches are running without errors and cleanly before handing over. 

Regarding the search - I see there isnt much difference between them, mainly the index you're collecting in to. 

How have you determined that the search *isnt* running?

Have you seen any specific errors in _internal/_audit regarding the search? 

Has the proofpoint_summary index been created in Splunk Cloud?

Who is the search owned by, is this a service account/nobody/specific user?

Do you, and the search owner have access to the proofpoint_summary index? 

Please let me know if you're able to provide some of the answers to this as it will help pinpoint the issue.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...