topic Re: sourcenames in Getting Data In

sourcenames

evosplunk — Mon, 16 Apr 2012 18:59:15 GMT

So as far as i can understand, you can define a common sourcename for several sourcetypes

I am using the webintelligence beta app, and this generates a sourcenames.csv file in /splunk/etc/apps/webintelligence/lookups

this looks like this:

source,sourcename
"/var/log/apache2/access.log","sourcename"

But when i search for "sourcename" i does not find anything

What am i missing? i'm feeling ive read the manual on webintelligence and i cannot find any more info on this

Thanks!

Re: sourcenames

pstout — Mon, 16 Apr 2012 19:18:21 GMT

If you want to search for a particular sourcename, use

eventtype=web-traffic | lookup sourcenames.csv source outputnew sourcename | search sourcename="<SOURCENAME_TO_SEARCH>"

Sourcename is not in the original event data so you must enrich the data through the lookup table.

Keep in mind you'll need to be within the web intelligence app as neither the lookup nor eventtype have global visibility.

Re: sourcenames

evosplunk — Mon, 28 Sep 2020 11:40:59 GMT

But all the searches form within webinteligence doesnt return any results with the searches like

search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily") ] source="User session visitor source*" sourcename="vorcast.org" | timechart eval(sum(myeventcount)) AS pageviews, dc(clientip) AS unique_visitors, eval((sum(myeventcount))/dc(clientip)) AS avg_pageviews

Re: sourcenames

pstout — Mon, 16 Apr 2012 22:13:19 GMT

Where are you searching? I'm using this URI:

http://splunk-server:port/en-US/app/webintelligence/flashtimeline

You can't just use the sourcename in the query without first specifying the lookup table as I mentioned above using the "lookup" command. The field does not exist before this.

Re: sourcenames

evosplunk — Mon, 16 Apr 2012 22:38:55 GMT

Im just trying to get the en-US/app/webintelligence/business_pageviews etc (pre defined searches) to show somehting, they are not. alhtough the search you provided works well.

Re: sourcenames

pstout — Mon, 16 Apr 2012 22:44:34 GMT

Have you gone through the setup process?

/en-US/app/webintelligence/setup

Particularly #3 -- "Specify Log Sources." It's been some time since I configured the app for web intelligence but this would certainly impact the population of the bundled dashboards.

If so, do other dashboards populate? Do you get any error messages? Have you made any changes to the saved searches or eventtypes defined in the stock WI app?

Re: sourcenames

evosplunk — Mon, 16 Apr 2012 22:47:36 GMT

Maybe i just misunderstand the setup

None of teh dashboards show anything, ive gone through the setup process, and i have specified one apache access log and one error log for testing.

Ive not made changes to the stock searches, am i supposed to?

Re: sourcenames

pstout — Mon, 16 Apr 2012 22:51:54 GMT

In that box, you should put something like:

index="main" sourcetype="access_combined"

Of course, replace the index and sourcetype with actual values from your instance.

Re: sourcenames

evosplunk — Mon, 16 Apr 2012 23:00:53 GMT

I just put in
sourcetype="vorcast*"
ive defined the sourcetype in index before, theres a preview button there, and that shows me that it finds something based on my search.

Thank you very much for helping me understand this btw, much appreciated!

Re: sourcenames

evosplunk — Mon, 16 Apr 2012 23:13:27 GMT

For instance, this search ReportOps - Top URI By Good Status
sounds like this:

timerange_hack source="Web Traffic goodstatus*" | eval status=toString(floor(status/100))+"xx" | stats values(myclientip) as myips sum(hits) as myhits by uri, status | mvexpand myips | stats dc(myips) as "unique ips" max(myhits) as "total count" by uri, status

What is the source in this? where is that source defined? Am i supposed to change it?

Re: sourcenames

pstout — Mon, 28 Sep 2020 11:41:04 GMT

That source might be the product of a summary index saved search. You shouldn't have to change the sources that are predefined.

Not sure what sourcetype="vorcast" is. The web intelligence app should be looking for Apache access_combined or Microsoft IIS logs. These should be sourcetype="access_combined" or sourcetype="iis"

If you open your search app, can you get results for any of the following searches?

sourcetype="access_combined"

sourcetype="access_common"

sourcetype="iis"

Re: sourcenames

evosplunk — Mon, 28 Sep 2020 11:41:06 GMT

Sorry, vorcast is a site, the sourcetype=vorcast* is a apache access and error log, they are defined in splunk as vorcast_access and vorcast_error so sourcetype=vorcast* shows all of that in a search, i see that it works.
searches for access_combined etc also show results.

The site in questions logs to its own log files.