It seems i have the same issue.
2 switches, i think the config is the same, but i see the message " ARCHIVING NOT ENABLED ON THIS DEVICE"

Ok, thanks for confirming. Let's verify a few things:

1. Do you see the facility, mnemonic, user and command fields extracted when you run your manual search? What about the event_id field?
2. Are you running version 2.2.1 (or the newly released 2.3.0) of both Cisco Networks app for Splunk Enterprise AND Cisco Networks add-on for Splunk Enterprise?
3. Have you made any local changes in any of the apps/add-ons? I'm asking because a refinement was done not too long ago to support config change management even when the event_id fiels is missing by resorting to using the event's _time field instead.
4. Try version 2.3.0 of both apps to see if that helps 🙂

Mikael

Oh, I missed something. It looks like you are getting your syslog through TCP which is not fully supported at this time. Could you check if UDP works better?

Entry in the app:

2015-09-09 09:48:08     1.1.1.1     console     username    vty0    1.1.1.1         ARCHIVING NOT ENABLED ON THIS DEVICE 

Actual log entries.

Sep 9 09:48:08 1.1.1.1 <189>213: Sep 9 08:53:07 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:username logged command:interface GigabitEthernet2/0/9

Sep 9 09:48:08 1.1.1.1 <189>214: Sep 9 08:53:07 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:username logged command:shutdown 

Sep 9 09:48:08 1.1.1.1 <189>215: Sep 9 08:53:07 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:username logged command:no shutdown 

Sep 9 09:48:08 1.1.1.1 <189>216: Sep 9 08:53:07 CDT: %SYS-5-CONFIG_I: Configured from console by username on vty0 (125.108.185.249)