I've read several threads on this already, as well as have been over the documentation. I'm not sure what I've done incorrectly.
Quick summary:
Apache data is going into Splunk. Source type is apache:access. I added this to the [web-traffic] section in eventtypes.conf:
[OR sourcetype="apache:access"]
The logs are going to the 'main' index, which my user has access to.
The lookups under "setup" do not return any data, nor does eventtype=web-traffic
However, tag=web does work in the app context.
"Data model audit" also does not return data. (and acceleration says 0)
What am I missing with this?
Thanks!
Hi jgauthier
The apache:access sourcetype does not extract all the fields you require for this app out of the box. Make sure that all field extractions that are currently mapped to sourcetype access_combined are also mapped to apache:access. You can do this by making a copy of props.conf in the "default" folder into the "local" folder and edit the section with field extractions linked to "access"combined"/
Let me know how you get along.
johan
What "lookups under setup"? It will really help if you provide a more complete context and fuller framing of your problem including sample events and searches.
Are you familiar with the application?
From the instructions:
Once the data has been imported run the two lookups "Generate user sessions" and "Generate pages".
They are the only two lookups under 'Setup' in the context of the application.