Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

same BIND logs parsing different

bluaces
New Member
‎11-06-2019 11:19 PM

Good morning all,

I got two DNS servers, mirrors one of the other, that are sending logs to splunk via Syslog.

Doing some research I found that one of the hosts logs are being properly parsed but the logs for the other ones are not.

properly parsed query
alt text

unparsed query
alt text

Both systems logs are stored in the same index and use the same sourcetype.

Any help will be really appreciated.

Preview file
47 KB
Preview file
67 KB
0 Karma
Reply

codebuilder
Influencer
‎11-14-2019 09:25 PM

I'm guessing that you are using search time field extraction.
If you are using search head clustering behind a router, one search head has the correct props.conf and another does not.

Any time the sourcetype is modified, you must cycle Splunk. First try diff'ing props.conf and/or transforms.conf between the two servers. If they don't match, that's your issue. If they do match, cycle Splunk on the server that's not parsing properly.

Also, for search time field extraction, props.conf must exist under the context of the search app. On the server where the results are different/unexpected, ensure that the correct sourcetype exists, and is in the correct context (.../etc/apps/search/...) eg.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...