Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

same BIND logs parsing different

bluaces
New Member
‎11-06-2019 11:19 PM

Good morning all,

I got two DNS servers, mirrors one of the other, that are sending logs to splunk via Syslog.

Doing some research I found that one of the hosts logs are being properly parsed but the logs for the other ones are not.

properly parsed query
alt text

unparsed query
alt text

Both systems logs are stored in the same index and use the same sourcetype.

Any help will be really appreciated.

Preview file
47 KB
Preview file
67 KB
0 Karma
Reply

codebuilder
Influencer
‎11-14-2019 09:25 PM

I'm guessing that you are using search time field extraction.
If you are using search head clustering behind a router, one search head has the correct props.conf and another does not.

Any time the sourcetype is modified, you must cycle Splunk. First try diff'ing props.conf and/or transforms.conf between the two servers. If they don't match, that's your issue. If they do match, cycle Splunk on the server that's not parsing properly.

Also, for search time field extraction, props.conf must exist under the context of the search app. On the server where the results are different/unexpected, ensure that the correct sourcetype exists, and is in the correct context (.../etc/apps/search/...) eg.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...