Empty Search Results useing Splunk for DNS

hartfoml · ‎01-10-2014

I am useing Splunk for DNS on Searchhead version 6.x
I have indexers on 5.x
is the APP I get no results form the searches but if i copy the search to the search app they all work fine.

Here are the debug messages:

The following messages were returned by the search subsystem:

• DEBUG: BatchMode search is disabled because at least one search peer does not support it.
• DEBUG: [1-46.Mynetwork] Adjusting search for peers with version (4.3.1): new remote search = 'litsearch index=network sourcetype=dns | litsearch index=network sourcetype="dns" | search named_domain!="*.arpa" | eval named_domain=lower(named_domain) | addinfo type=count label=prereport_events | fields keepcolorder=t "cvp_reserved_count" "named_domain" | pretop 10 named_domain', additional local search = ''
• DEBUG: [1-46.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [2-46.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [3-46.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [6-17.Mynetwork] Adjusting search for peers with version (4.3.6): new remote search = 'litsearch index=network sourcetype=dns | litsearch index=network sourcetype="dns" | search named_domain!="*.arpa" | eval named_domain=lower(named_domain) | addinfo type=count label=prereport_events | fields keepcolorder=t "cvp_reserved_count" "named_domain" | pretop 10 named_domain', additional local search = ''
• DEBUG: [6-17.Mynetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [01.MyotherNetwork] Adjusting search for peers with version (5.0.1): new remote search = 'litsearch index=network sourcetype=dns | litsearch index=network sourcetype="dns" | search named_domain!="*.arpa" | eval named_domain=lower(named_domain) | addinfo type=count label=prereport_events | fields keepcolorder=t "cvp_reserved_count" "named_domain" | pretop 10 named_domain', additional local search = ''
• DEBUG: [01.MyotherNetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: [02.MyotherNetwork] search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/var/run/searchpeers/5-46-1389376147"
• DEBUG: base lispy: [ AND index::network sourcetype::dns ]
• DEBUG: search context: user="admin", app="sec-one_dns", bs-pathname="/opt/splunk/etc"

Is there something I can do to get this working?
Why does it work in search but not the DNS App

Defensive-ISS · ‎06-29-2014

Splunk has change the way search works. I will be updating the application soon.

hartfoml · ‎01-10-2014

Also I tried useing the Search Bar in the DNS App and I can not search any of the DNS data.

Empty Search Results useing Splunk for DNS

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability