cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
aprice_q
Observer
Member since: ‎06-17-2022
‎09-20-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-17-2022
View All

Re: Differences between Splunk Cloud and Splunk En...

by in Splunk Search
‎09-20-2022 06:30 AM
‎09-20-2022 06:30 AM
Thanks @scelikok  I have tried setting that but then i get a different result for the lispy. When i set it in the fields.conf this is what the lispy is: [ AND index::_internal some_field::some_value ]   So it dropped the terms for just "some" and "value" Something still seems different. ... View more

What are the differences between Splunk Cloud and ...

by in Splunk Search
‎09-19-2022 02:12 PM
‎09-19-2022 02:12 PM
Hi, We are using both Splunk Cloud and Splunk Enterprise. We recently came across some issues/differences in search we originally thought were due to indexed field issues but turned out to be more about some basic difference in how each environment converts a search into lispy (at least that is what we observe). For example in Splunk Cloud 8.2.2203.4 the following search:   index=_internal some_field=some-value   Results in the following lispy:   [ AND index::_internal [ OR some_field::some-value [ AND some value ] ] ]     For our Splunk Enterprise 8.2.6 the same search results in the following lispy:   [ AND index::_internal some value ]     In our case `some_field` is an index field added on by our HEC requests. This results in very incorrect searches in enterprise and inefficient searches in cloud. We do now realize we can just directly query for "some_field::some_value" but we would like to understand this behavior difference and if it is configurable.   Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-20-2022 08:37 PM