Looking for some basic help with the Splunk Web Analytics Apps.
Currently app is installed and pulling in the /var/log/httpd/* logs with sourcetype=apache_common. However not able to display any data.
When I run the two lookups I don't get any result..wondering if my initial setup is correct.
1) How do I get data in this app? The documentation says "Make sure you use the sourcetype apache_common, apache_combined or iis for this data" My source is apache so what sourcetype do I use? apache_common or apache_combined?
2) Are the /var/log/httpd/* logs all that are required for the app for soruce data?
Thanks!
You are right the documentation is wrong - This has now been corrected.
Just to clarify, the default sourcetypes for the app should be:
sourcetype="iis"OR sourcetype="access_combined" OR sourcetype="access_common" OR sourcetype="access_combined_wcookie"
j
One more clarification...I just realized the documentation says to use sourcetype=apache_combined however the sample data uses sourcetype=access_combined? Is there an issue with documentation or am I missing something?
In the context of the app, try and do the search for:
tag=web
If this is not returning any results I suspect you are not seeing the data because it is stored in a non-default index and the user in Splunk does not search in non-default indexes automatically.
You need to add All non-internal indexes to the Selected indexes in Access controls » Roles » [ROLE NAME]
Alternatively you can add just the index where the apache log files are stored.
There is a thread about this here:
http://answers.splunk.com/answers/237946/splunk-app-for-web-analytics-and-splunk-weblog-add.html
Indexes are already part of default search...
When I run the tag=web I don't get any results. Same for when I run the two built in lookups.
Still not sure what is wrong....
Have you looked at the documentation within the app?
Right after it mentions
Make sure you use the sourcetype apache_common, apache_combined or iis for this data.
it says:
If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes
So you can rename it if you need to but it sounds like you already have the sourcetype named correctly.
In the documentation page in the app:
The Splunk App for Web Analytics works in a multi website environment. Websites are configured from a combination of the host and the source field. Each event with that unique combination will be tagged with the corresponding website name in the field "site". There is a website setup form page that allows you to add these in an easy way. The data in the setup form will be stored in the lookup file called WA_settings.csv. You can also manually edit this file. The websites setup page can be found under Setup->Websites or by using the link above.
Once the data has been imported run the two lookups "Generate user sessions" and "Generate pages". These will be used throughout the app. Once run the first time, they will automatically be updated via two scheduled searches that runs every 10 minutes that adds any new data coming into the app. Running these lookup searches might take a long time depending on how much data you have in Splunk but its important you let the searches finish before you move on to the next step. The lookup reports can be found under Setup-Lookups or by using the links above. It's important that thes searches return results. If not, the app will not work.
Yes I read the documentation and the reason for my question #1.
I am unclear which sourcetype to use for apache logs? Can I use either or are both required for different inputs?