Splunk Cloud Platform

Search Experience preview

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Known issues

Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.

The following are known issues and workarounds for the Search Experience preview.

Issue Description
Indexes Indexes from Splunk Cloud Platform deployments that contain non-alphanumeric characters or that begin with an underscore ( _ ) character cannot be accessed by the Search Experience preview.
Metric indexes Metric indexes from Splunk Cloud Platform deployments are not supported at this time.
Lookups Lookups from Splunk Cloud Platform deployments are not supported at this time.
Data models Data models from Splunk Cloud Platform deployments are not supported at this time.
Field extractions Searches are run using the Fast Mode, so only very basic field extractions are performed.


Workaround: Copy and paste the following into your search module and make the substitutions described in the comments 

// gimmeAllFieldExtractions is a function,
// which is a temporary workaround 
// to force the return of all extracted fields.

function gimmeAllFieldExtractions($source: dataset): dataset {
    return | FROM $source | SELECT 'a*','b*','c*','d*','e*','f*','g*','h*','i*','j*','k*','l*','m*','n*','o*','p*','q*','r*','s*','t*','u*','v*','w*','x*','y*','z*','A*','B*','C*','D*','E*','F*','G*','H*','I*','J*','K*','L*','M*','N*','O*','P*','Q*','R*','S*','T*','U*','V*','W*','X*','Y*','Z*', '1*', '2*', '3*', '4*', '5*', '6*', '7*', '8*', '9*', '0*', '_*';
}

// The following is an example of how
// to use the gimmeAllFieldExtractions
// function against a dataset.

$allFields = from <dataset_name>  // replace <dataset_name>
| gimmeAllFieldExtractions   // call the function
| <your SPL2 search syntax>   // substitute with your search
Verbose and smart mode searches If your Splunk Cloud Platform stack is on version 8.2.2202 or higher, your searches in the Search Experience preview are run in Smart mode. Otherwise your searches are run in Fast mode.
Dataset count When logged on as an admin user, if you perform a connection refresh, the UI does not update the dataset count after you click the Refresh icon.


Workaround:

  1. In the Connection wizard, click Done to exit the wizard.
  2. From the Settings menu, select Manage connection to see the updated dataset count.
Searches using the sample data Searches that use the sample data should use the All time time range. The sample data is a snapshot of a set of events which have fixed timestamps. Searches run with other time ranges might not return any events or field data.
Last modified on 26 January, 2023
Fixed issues  

This documentation applies to the following versions of Splunk Cloud Platform: search2preview

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters