https://community.splunk.com/t5/Getting-Data-In/same-BIND-logs-parsing-different/m-p/476743#M81853 <P>Good morning all,</P> <P>I got two DNS servers, mirrors one of the other, that are sending logs to splunk via Syslog.</P> <P>Doing some research I found that one of the hosts logs are being properly parsed but the logs for the other ones are not.</P> <P>properly parsed query<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7907iB0C4FE74F9A4AB25/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>unparsed query<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7908i7A7875BB3F2331F5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Both systems logs are stored in the same index and use the same sourcetype.</P> <P>Any help will be really appreciated.</P> Thu, 07 Nov 2019 07:19:47 GMT bluaces 2019-11-07T07:19:47Z https://community.splunk.com/t5/Getting-Data-In/same-BIND-logs-parsing-different/m-p/476743#M81853 <P>Good morning all,</P> <P>I got two DNS servers, mirrors one of the other, that are sending logs to splunk via Syslog.</P> <P>Doing some research I found that one of the hosts logs are being properly parsed but the logs for the other ones are not.</P> <P>properly parsed query<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7907iB0C4FE74F9A4AB25/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>unparsed query<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7908i7A7875BB3F2331F5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Both systems logs are stored in the same index and use the same sourcetype.</P> <P>Any help will be really appreciated.</P> Thu, 07 Nov 2019 07:19:47 GMT https://community.splunk.com/t5/Getting-Data-In/same-BIND-logs-parsing-different/m-p/476743#M81853 bluaces 2019-11-07T07:19:47Z https://community.splunk.com/t5/Getting-Data-In/same-BIND-logs-parsing-different/m-p/476744#M81854 <P>I'm guessing that you are using search time field extraction. <BR /> If you are using search head clustering behind a router, one search head has the correct props.conf and another does not.</P> <P>Any time the sourcetype is modified, you must cycle Splunk. First try diff'ing props.conf and/or transforms.conf between the two servers. If they don't match, that's your issue. If they do match, cycle Splunk on the server that's not parsing properly.</P> <P>Also, for search time field extraction, props.conf must exist under the context of the search app. On the server where the results are different/unexpected, ensure that the correct sourcetype exists, and is in the correct context (.../etc/apps/search/...) eg.</P> Fri, 15 Nov 2019 05:25:22 GMT https://community.splunk.com/t5/Getting-Data-In/same-BIND-logs-parsing-different/m-p/476744#M81854 codebuilder 2019-11-15T05:25:22Z