https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70983#M70652 <P>Hey Araitz- I met you @ .conf this year, but any way.. </P> <OL> <LI><P>did you want me to do this search in the web app or the search app. I am not sure if it makes a difference.</P></LI> <LI><P>In the search app i do an search for sourcetype=iis and it returns all the w3c fields and others in the field picker.</P></LI> <LI><P>The sourcetype being assigned is iis.. and some instances there is iis-2,3... etc but I am fixing those as I run into them </P></LI> </OL> <P>Thanks</P> Wed, 26 Sep 2012 16:45:04 GMT paul_1994 2012-09-26T16:45:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70981#M70650 <P>I have installed the app on my search heads and created the indexes on my indexers. I have verified on my indexer from the manger that events are being created and I have searched the indexes on the indexer and search head and returned information, but the app is still empty. </P> <P>Result of search on the summary indexes If this helps</P> <PRE><CODE>09/25/2012 15:40:00, search_name="Web Traffic by host fivemin summary - regenerator", search_now=1348613100.000, info_min_time=1348612800.000, info_max_time=1348613100.000, info_search_time=1348613119.944, hits=240, myhost=******, sourcename="V:\\Logfiles\\W3SVC1910282147\\ex120925.log", report="\"WA webtraffic host summary index\"" </CODE></PRE> <P>Any Help would be appreciated..</P> Tue, 25 Sep 2012 22:48:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70981#M70650 paul_1994 2012-09-25T22:48:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70982#M70651 <P>My guess is that your IIS fields are not being extracted properly. When you search your IIS logs using the flashtimeline view, do you see fields like 'cookie', 'referer', 'uri', etc in the field picker? What is the sourcetype that your IIS logs are being assigned?</P> Wed, 26 Sep 2012 05:52:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70982#M70651 araitz 2012-09-26T05:52:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70983#M70652 <P>Hey Araitz- I met you @ .conf this year, but any way.. </P> <OL> <LI><P>did you want me to do this search in the web app or the search app. I am not sure if it makes a difference.</P></LI> <LI><P>In the search app i do an search for sourcetype=iis and it returns all the w3c fields and others in the field picker.</P></LI> <LI><P>The sourcetype being assigned is iis.. and some instances there is iis-2,3... etc but I am fixing those as I run into them </P></LI> </OL> <P>Thanks</P> Wed, 26 Sep 2012 16:45:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70983#M70652 paul_1994 2012-09-26T16:45:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70984#M70653 <P>So I thought I would follow up on my question. I worked with support and found out a couple of things.</P> <OL> <LI>you need to make sure your logs are being transformed correctly via props and transform</LI> <LI>A lot of the searches depend on the correct Field aliases being defined</LI> </OL> <P>For the Field aliases I had to change the defaults to match my environment with custom sourcetypes.</P> <P>for example here is a default alias for the WI</P> <P><STRONG>(?:::){0}iis-</STRONG>* : FIELDALIAS-clientip</P> <P>I had to clone the one above and create this one</P> <P><STRONG>iis</STRONG> : FIELDALIAS-iis-clientip</P> <P>because my sourcetype for iis was "iis" not "iis-***"</P> Fri, 28 Sep 2012 19:11:28 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Web-Intelligence-application-NO-data-in-Distributed-environment/m-p/70984#M70653 paul_1994 2012-09-28T19:11:28Z