All Apps and Add-ons

Splunk App for web analytics - Multiple Sites

eyem4usf
New Member

I am working on a brand new Splunk cloud instance. I installed the App for web analytics app and then uploaded an IIS log file. I configured the App by defining the site name and host, source mappings. I then ran the lookups for the SEssions and Pages and then enabled the data model acceleration.

I was able to see data and was happy. I then added another IIS log file for a different site/server to the same index named "main". i went back to the Setup --> Websites page expecting to see the new site in the "Available host and source combinations" section and it was not there. Only the initial site I setup is listed there. Additionally, when I search for tag=web from within the App it only shows me the data from the first site. If I run the same search outside of the App it doesn't return anything.

I could sure use a little help here. 🙂

-Pete

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi eyem4usf

I suspect you imported the new data under a different sourcetype than "iis". The tag=web search will only search for the predefined sourcetypes access_combined, access_common and iis. Can you doublecheck what sourcetype you are using?

Run this search for all time:

index=main

and look at the sourcetypes and try and identify the new website data.

If they have a different sourcetype you can follow the steps outlined in the documentation on the very first paragraph:

Look in the documentation under the very first paragraph:

1. Import web server log data

The Splunk App for Web Analytics currently supports data from Apache and IIS logs. Make sure you use the sourcetype access_common, access_combined or iis for this data. If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes.

In the actual documentation page there are links directly to the settings that needs to be modified to use a different sourcetype. I recommend the sourcetype renaming approach.

Let me know how you get along.

j

0 Karma

kspillman_splun
Splunk Employee
Splunk Employee

First, determine if the data loaded and if so where it went.
Run the following searching index=* host= and set your time picker to all time.
- searching for index=* will determine if the data got loaded under a different index.
- setting the time picker to all time, this will bring back data even if the time is being parsed incorrectly or if the timestamps are old
If the above search returns data, run it again and add a "OR host=" Then compare the differences in the returned data fields for the two data sets and see where they differ.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...