Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What are the differences between Splunk Cloud and Splunk Enterprise lispy?

aprice_q
Observer
‎09-19-2022 02:12 PM

Hi,

We are using both Splunk Cloud and Splunk Enterprise. We recently came across some issues/differences in search we originally thought were due to indexed field issues but turned out to be more about some basic difference in how each environment converts a search into lispy (at least that is what we observe).

For example in Splunk Cloud 8.2.2203.4 the following search:

 

index=_internal some_field=some-value

 

Results in the following lispy:

 

[ AND index::_internal [ OR some_field::some-value [ AND some value ] ] ]

 

 

For our Splunk Enterprise 8.2.6 the same search results in the following lispy:

 

[ AND index::_internal some value ]

 

 

In our case `some_field` is an index field added on by our HEC requests. This results in very incorrect searches in enterprise and inefficient searches in cloud.

We do now realize we can just directly query for "some_field::some_value" but we would like to understand this behavior difference and if it is configurable.

 

Thanks

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-19-2022 08:50 PM

Hi @aprice_q,

Your on-prem instance may have a missing setting for the "some_field" indexed field. That is why lispy and results may be different. Please check if your on-prem instance has INDEXED=true for "some_field" field in your fields.conf like below;

fields.conf

[some_field]
INDEXED = true
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

aprice_q
Observer
‎09-20-2022 06:30 AM

Thanks @scelikok 

I have tried setting that but then i get a different result for the lispy. When i set it in the fields.conf this is what the lispy is:

[ AND index::_internal some_field::some_value ]

 

So it dropped the terms for just "some" and "value"

Something still seems different.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...