topic Re: Splunk App for Web Intelligence: what should column names be for IIS log data? in Getting Data In

Splunk App for Web Intelligence: what should column names be for IIS log data?

stjack99 — Mon, 28 Sep 2020 10:00:42 GMT

I'm having a problem getting web intel app showing any results. I've investigated a bit, and think the problem is the column names I used.

This is what I currently have set:

iislogs

FIELDS = "date", "time", "s_siteName", "s_computername", "dest_ip", "http_method", "uri_stem", "uri_query", "dest_port", "user", "src_ip", "http_user_agent", "http_cookie", "http_referrer", "dest_host", "http_response", "http_sub_response", "sc_win32Status", "bytes_out", "bytes_in", "duration"

DELIMS = " "

What column names does web intel expect me to have?

Re: Splunk App for Web Intelligence: what should column names be for IIS log data?

stjack99 — Sat, 22 Oct 2011 00:17:09 GMT

Figured it out. For anyone else who wants a fix for this:

1) navigate to Manager » Fields » Field aliases

2) Click on each alias, and add a new alias

Re: Splunk App for Web Intelligence: what should column names be for IIS log data?

CraigF — Tue, 20 Dec 2011 16:52:04 GMT

What aliases did you add?

Re: Splunk App for Web Intelligence: what should column names be for IIS log data?

MartinHarper — Thu, 13 Dec 2012 15:21:37 GMT

Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"