Splunk Search

What are the differences between Splunk Cloud and Splunk Enterprise lispy?

aprice_q
Observer

Hi,

We are using both Splunk Cloud and Splunk Enterprise. We recently came across some issues/differences in search we originally thought were due to indexed field issues but turned out to be more about some basic difference in how each environment converts a search into lispy (at least that is what we observe).

For example in Splunk Cloud 8.2.2203.4 the following search:

 

index=_internal some_field=some-value

 

Results in the following lispy:

 

[ AND index::_internal [ OR some_field::some-value [ AND some value ] ] ]

 

 

For our Splunk Enterprise 8.2.6 the same search results in the following lispy:

 

[ AND index::_internal some value ]

 

 

In our case `some_field` is an index field added on by our HEC requests. This results in very incorrect searches in enterprise and inefficient searches in cloud.

We do now realize we can just directly query for "some_field::some_value" but we would like to understand this behavior difference and if it is configurable.

 

Thanks

Labels (2)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @aprice_q,

Your on-prem instance may have a missing setting for the "some_field" indexed field. That is why lispy and results may be different. Please check if your on-prem instance has INDEXED=true for "some_field" field in your fields.conf like below;

fields.conf

[some_field]
INDEXED = true
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

aprice_q
Observer

Thanks @scelikok 

I have tried setting that but then i get a different result for the lispy. When i set it in the fields.conf this is what the lispy is:

[ AND index::_internal some_field::some_value ]

 

So it dropped the terms for just "some" and "value"

Something still seems different.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...