Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What are the differences between Splunk Cloud and Splunk Enterprise lispy?

aprice_q
Observer
‎09-19-2022 02:12 PM

Hi,

We are using both Splunk Cloud and Splunk Enterprise. We recently came across some issues/differences in search we originally thought were due to indexed field issues but turned out to be more about some basic difference in how each environment converts a search into lispy (at least that is what we observe).

For example in Splunk Cloud 8.2.2203.4 the following search:

 

index=_internal some_field=some-value

 

Results in the following lispy:

 

[ AND index::_internal [ OR some_field::some-value [ AND some value ] ] ]

 

 

For our Splunk Enterprise 8.2.6 the same search results in the following lispy:

 

[ AND index::_internal some value ]

 

 

In our case `some_field` is an index field added on by our HEC requests. This results in very incorrect searches in enterprise and inefficient searches in cloud.

We do now realize we can just directly query for "some_field::some_value" but we would like to understand this behavior difference and if it is configurable.

 

Thanks

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-19-2022 08:50 PM

Hi @aprice_q,

Your on-prem instance may have a missing setting for the "some_field" indexed field. That is why lispy and results may be different. Please check if your on-prem instance has INDEXED=true for "some_field" field in your fields.conf like below;

fields.conf

[some_field]
INDEXED = true
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

aprice_q
Observer
‎09-20-2022 06:30 AM

Thanks @scelikok 

I have tried setting that but then i get a different result for the lispy. When i set it in the fields.conf this is what the lispy is:

[ AND index::_internal some_field::some_value ]

 

So it dropped the terms for just "some" and "value"

Something still seems different.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...