I set up what would be about 170 site-source entries with wildcard log locations. It looks like it's going to be a truly monstrous amount of logs.
Previously when I was previewing it, I set up for 2 domain names, with about 8 website source entries.
The data model is building, so I went into real-time to see what I can see, and I only see things for the 2 domains I had set up previously. Is this something it will sort out on its own after a long long processing time, or is there something else I might have done wrong?
I think some of the issue comes that i have a site field that's getting auto-extracted out of the logs, when i view
tag=web site=* |dedup site | table site
I get all kinds of results, not just what i put in the settings file?
[EDIT]
My host entry was not case sanitized. V does not equal v.
Hi hatbeard
Can you try and add this to the realtime dashbord? It will limit the search to just the sites in the config
eventtype=pageview site="*" [| inputlookup WA_settings | rename value as site | fields site]
j
Did not do much.
Even when i run it as
eventtype=pageview site="*" [| inputlookup WA_settings | rename value as site | fields site] | dedup site |table site
it shows just the first two that i setup previously, despite there being 168 entries in the csv file. It shows them in the drop down search window, that works fine though.
Strangely though, when i do a search on just |inputlookup WA_settings, i get all of the contents of the file
Hi hatbeard
The real-time dashboard uses this base search to produce the output:
eventtype=pageview site="*"
It should show you all data that matches that search and not limited to just the sites you have configured under website setup. the only caveat is that each event needs to have the site field present and filled out. For some web log configurations this field is already part of the log file (as you mentioned) and will be present event though you haven't configured it.
Let me know you get along
j
Yeah, it seems that its taking and auto-extracting the site field. in a lot of the uri stems in our logs there's going to be a site=foo. is there a way to tell splunk to bug off on that, or change the app to use a different variable?