All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Empty Search Results useing Splunk for DNS

hartfoml
Motivator
‎01-10-2014 10:02 AM

I am useing Splunk for DNS on Searchhead version 6.x
I have indexers on 5.x
is the APP I get no results form the searches but if i copy the search to the search app they all work fine.

Here are the debug messages:

The following messages were returned by the search subsystem:

• DEBUG: BatchMode search is disabled because at least one search peer does not support it.
• DEBUG: [1-46.Mynetwork] Adjusting search for peers with version (4.3.1): new remote search = 'litsearch index=network sourcetype=dns | litsearch index=network sourcetype="dns" | search named_domain!="*.arpa" | eval named_domain=lower(named_domain) | addinfo type=count label=prereport_events | fields keepcolorder=t "cvp_reserved_count" "named_domain" | pretop 10 named_domain', additional local search = ''
• DEBUG: [1-46.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [2-46.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [3-46.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [6-17.Mynetwork] Adjusting search for peers with version (4.3.6): new remote search = 'litsearch index=network sourcetype=dns | litsearch index=network sourcetype="dns" | search named_domain!="*.arpa" | eval named_domain=lower(named_domain) | addinfo type=count label=prereport_events | fields keepcolorder=t "cvp_reserved_count" "named_domain" | pretop 10 named_domain', additional local search = ''
• DEBUG: [6-17.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [01.MyotherNetwork] Adjusting search for peers with version (5.0.1): new remote search = 'litsearch index=network sourcetype=dns | litsearch index=network sourcetype="dns" | search named_domain!="*.arpa" | eval named_domain=lower(named_domain) | addinfo type=count label=prereport_events | fields keepcolorder=t "cvp_reserved_count" "named_domain" | pretop 10 named_domain', additional local search = ''
• DEBUG: [01.MyotherNetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [02.MyotherNetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: base lispy: [ AND index::network sourcetype::dns ]
• DEBUG: search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/etc"

Is there something I can do to get this working?
Why does it work in search but not the DNS App

0 Karma
Reply

Defensive-ISS
New Member
‎06-29-2014 09:17 AM

Splunk has change the way search works. I will be updating the application soon.

0 Karma
Reply

hartfoml
Motivator
‎01-10-2014 10:18 AM

Also I tried useing the Search Bar in the DNS App and I can not search any of the DNS data.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...