The "status" field is not defined for any of my eventtype=web-traffic data. Therefore the eventtype pageview is not found, and no data found in the lookups.
Where is event cs_* defined? And where is it coming from? Nowhere do I see cs_status or anything related to spotting the HTTP "status" field. I can see the FIELDALIAS's for cs_bytes, cs_host_csusername, sc_statusetc, etc.
Hi Mike
To help you I need some more details.
What is the web server you are using? What is the sourcetype in Splunk for this data?
Do you see the status field in the raw event?
For IIS the sourcetype should be "iis", for Apache, the sourcetype should be any of the "access_combined" variants. If the status field is in the raw data and you are using the correct sourcetype you need to create a field extraction for the status field. This field should be called "http_status" and you should be able to extract this from your logs using the interactive field extractor
link text
Let me know how you get along.
j
The web server is iis - sharepoint. The data is showing up assourcetype both iis and iis-2. I am using sourcetype renaming - turning the iis-2 to iis. So all data is sourcetype=iis. The status field is in each event, but not extracted anywhere as status, http_status, sc_status, cs_status etc.etc. So far having issues creating the extraction as some events are longer or shorter with different number of fields.