Having a bit of an issue getting the Splunk App for Web Analytics setup completed. Here's some details:
The 'Setup new website' panel appears to be working properly. I.E. After adding a site it is listed in the 'Configured websites' panel and is added to the WA_settings.csv file. Here's an example of the wildcards I'm using:
key,value,source,host
site,"mysite.mydomain.com","H:\inetpub\logs\LogFiles\my-site\W3SVC**","mynode-01"
I have verified the Role being used to set up the app (Admin) has the proper index listed for both 'indexes searched by default' and 'indexes'. In fact I've simply added 'All non-internal indexes' to both.
The following manual searches all return results:
tag="web"
sourcetype="iis"
source="H:\inetpub\logs\LogFiles\my-site\W3SVC*\"
| tstats prestats=t count where index= by host,source | stats count AS events by host, source | search host=""* OR source=""*
It seems like everything is in place, but when I go to build the lookups nothing is returned. Any help to narrow down my configuration oversight would be much appreciated.
Hi eckdale
I suspect the site is configured wrong and the site field is not being applied to the source and host combination. For instance, in the example above I see double slashes \\
in the source data but not in the site configuration lookup.
There is a new version of the app (1.4) which greatly enhances the setup process with visual cues (green check marks) if it is configured correctly.
https://splunkbase.splunk.com/app/2699/
j
Hi eckdale
Are both lookups failing or just the Sessions one?
The Pages lookup is very simple:
eventtype=pageview | table site http_request
The Sessions is much more complicated and uses the transaction command and is reliant on the "site" field being present.
In the context of the app, try and do the search for:
tag=web
If this is returning results (which you are saying it does), double check that each entry has the "site" field populated. If not, the Session lookup will not work.
Can you try this and report back what you get?
j
BTW: Just wanted to say thanks for the time you've dedicated to this.
Unfortunately both lookups are failing. In the context of the app i searched for:
tag=web
which returned several million matched events.
To be clear, I have configured 175 unique sites in the WA_settings.csv file (all IIS) but there are hosts with sourcetype=iis data that I have intentionally not included. Is that a problem? I.E. If I have two hosts, one test and one production, forwarding sourcetype=iis data and only include one of them (production) in the WA_settings.csv file, will the lookups fail?
Hi eckdale
I suspect the site is configured wrong and the site field is not being applied to the source and host combination. For instance, in the example above I see double slashes \\
in the source data but not in the site configuration lookup.
There is a new version of the app (1.4) which greatly enhances the setup process with visual cues (green check marks) if it is configured correctly.
https://splunkbase.splunk.com/app/2699/
j
The double-backslashes, or escaped backslashes, in the manual search are there because Splunk seems to require them when searching for a string that uses backslashes (I assume this is part of Splunk's Linux heritage). The lack of escaped backslashes in the WA_settings.csv file is a direct result of how the app builds the file itself when using the Setup > Websites form.
I assumed the app handled the use of backslashes in some manner however I too had noticed this early on in my troubleshooting and manually modified the WA_settings.csv file to include the escaped backslashes with no success.
I've upgraded the app to v1.4 and now see green check marks under the 'Configured' heading on the Setup > Websites form however building lookups still fails with no results.
Hi eckdale
I recently launched a new version - 1.41 - This has improved support for IIS. There were some bugs with the previous version so I recommend you upgrade.
https://splunkbase.splunk.com/app/2699/
j
Installed the update and the lookups are building as I type this. Thanks so much for the continued effort.