All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure the Splunk App for Web Analytics based on my sample log to get data in the app?

svenolensky
Engager
‎03-02-2016 10:47 AM

I followed the steps described in https://splunkbase.splunk.com/app/2699/#/documentation

The logs are in the format below:
(sanitized)

2016-03-02 18:17:26 172.28.140.26 POST /blablablapage.asmx - 80 SERVERNAME 172.28.140.254 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.34209) - - 200 1721 1566
host = HOSTNAME source = d:\iislogs\W3SVC3\logfilename.log sourcetype = CSIIS

For Step 2 - how would I exactly configure this? What would I put into the fields based on the logs above?
*The Splunk App for Web Analytics works in a multi website environment. Websites are configured from a combination of the host and the source field. Each event with that unique combination will be tagged with the corresponding website name in the field "site". You can use wildcards () in the Source and Host field to select multiple files matching a pattern. There is a website setup form page that allows you to add these in an easy way.
Here are some examples of valid website configurations with or without wildcards

No wildcards
Site Host Source
roadrunner.com server1 /var/log/httpd/access_log
roadrunner.com server2 /var/log/httpd/access_log

With wildcards
Site Host Source
roadrunner.com server /var/log/httpd/access_*

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎03-09-2016 01:46 AM

Hi Svenolensky

The correct configuration in the sites lookup would be
Site Host Source
mywebsite.com HOSTNAME d:\iislogs\W3SVC3\logfilename.log

However, as you have the sourcetype set to CSIIS the app will not work out of the box. Look in the documentation under the very first paragraph:

1. Import web server log data

The Splunk App for Web Analytics currently supports data from Apache and IIS logs. Make sure you use the sourcetype access_common, access_combined or **iis* for this data. If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes.*

In the actual documentation page there is links directly to the settings that needs to be modified to use a different sourcetype. I recommend the sourcetype renaming approach.

Let me know how you get along.

j

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...