All Apps and Add-ons

Splunk App for Web Analytics: Where is the field "cs_*" coming from?


The "status" field is not defined for any of my eventtype=web-traffic data. Therefore the eventtype pageview is not found, and no data found in the lookups.

Where is event cs_* defined? And where is it coming from? Nowhere do I see cs_status or anything related to spotting the HTTP "status" field. I can see the FIELDALIAS's for cs_bytes, cs_host_csusername, sc_statusetc, etc.

0 Karma

Splunk Employee
Splunk Employee

Hi Mike

To help you I need some more details.

What is the web server you are using? What is the sourcetype in Splunk for this data?
Do you see the status field in the raw event?

For IIS the sourcetype should be "iis", for Apache, the sourcetype should be any of the "access_combined" variants. If the status field is in the raw data and you are using the correct sourcetype you need to create a field extraction for the status field. This field should be called "http_status" and you should be able to extract this from your logs using the interactive field extractor
link text

Let me know how you get along.


0 Karma


The web server is iis - sharepoint. The data is showing up assourcetype both iis and iis-2. I am using sourcetype renaming - turning the iis-2 to iis. So all data is sourcetype=iis. The status field is in each event, but not extracted anywhere as status, http_status, sc_status, cs_status etc.etc. So far having issues creating the extraction as some events are longer or shorter with different number of fields.

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...