Currently having trouble getting the Web Analytics to work correctly. Non of the dashboards get results. I have scoured this site for explanations and keep getting similar answers, site setup might be incorrect. Though for the life of me... it's not working.
Universal Forwarder installed on the remote server. Index is main.
Site = TESTSITE Host = TESTSITE Source = E:\Logfiles\W3SVC1\u_ex* Available host and source combinations have green checks on all entries.
Tag=web search works fine,
file populates, just no
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2016-07-22 15:37:05 W3SVC1 TESTSITE 10.1.19.90 POST //default.aspx/SearchSalesParts - 80 DOMAIN\USER CLIENTIP HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko ASP.NET_SessionId=qd0aktxyhjml5e33l5jj2kf0 http://testsite/default.aspx testsite 200 0 0 499 584 78 host = testsite http_method = POST http_referer = http://testsiteurl/default.aspx http_request = /default.aspx/SearchSalesParts http_user_agent = Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko source = E:\Logfiles\W3SVC1\u_ex160722.log sourcetype = iis
I have followed the steps correctly in the documentation, and I've uninstalled/reinstalled the app already still same results. Any help would be appreciated, if you need any more details just ask I can get those no problem.
Do a search in Splunk for tag=web
Identity what the "host" field and the "source" contains. Make sure that whatever you see there is exactly (case sensitive) typed into the site configuration. Try without wildcard first to see that it works with single source, and then try with the wildcard (*) to include all sources.
Let me know how you get along.
After running the search tag=web I compared the results below. I changed the website config to lowercase and I now got all red exclamation points. HOWEVER, the lookups are now working, data model accelerated and I am getting results for the dashboards! Is this okay to have red exclamation points even though everything says I should have green checkpoints?
search host - testsite
website host - TESTSITE
website source - E:\Logfiles\W3SVC1\uex*
search source - E:\Logfiles\W3SVC1\uex160728.log