All Apps and Add-ons

Splunk App for web analytics - Multiple Sites

eyem4usf
New Member

I am working on a brand new Splunk cloud instance. I installed the App for web analytics app and then uploaded an IIS log file. I configured the App by defining the site name and host, source mappings. I then ran the lookups for the SEssions and Pages and then enabled the data model acceleration.

I was able to see data and was happy. I then added another IIS log file for a different site/server to the same index named "main". i went back to the Setup --> Websites page expecting to see the new site in the "Available host and source combinations" section and it was not there. Only the initial site I setup is listed there. Additionally, when I search for tag=web from within the App it only shows me the data from the first site. If I run the same search outside of the App it doesn't return anything.

I could sure use a little help here. 🙂

-Pete

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi eyem4usf

I suspect you imported the new data under a different sourcetype than "iis". The tag=web search will only search for the predefined sourcetypes access_combined, access_common and iis. Can you doublecheck what sourcetype you are using?

Run this search for all time:

index=main

and look at the sourcetypes and try and identify the new website data.

If they have a different sourcetype you can follow the steps outlined in the documentation on the very first paragraph:

Look in the documentation under the very first paragraph:

1. Import web server log data

The Splunk App for Web Analytics currently supports data from Apache and IIS logs. Make sure you use the sourcetype access_common, access_combined or iis for this data. If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes.

In the actual documentation page there are links directly to the settings that needs to be modified to use a different sourcetype. I recommend the sourcetype renaming approach.

Let me know how you get along.

j

0 Karma

kspillman_splun
Splunk Employee
Splunk Employee

First, determine if the data loaded and if so where it went.
Run the following searching index=* host= and set your time picker to all time.
- searching for index=* will determine if the data got loaded under a different index.
- setting the time picker to all time, this will bring back data even if the time is being parsed incorrectly or if the timestamps are old
If the above search returns data, run it again and add a "OR host=" Then compare the differences in the returned data fields for the two data sets and see where they differ.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...