I am working on a brand new Splunk cloud instance. I installed the App for web analytics app and then uploaded an IIS log file. I configured the App by defining the site name and host, source mappings. I then ran the lookups for the SEssions and Pages and then enabled the data model acceleration.
I was able to see data and was happy. I then added another IIS log file for a different site/server to the same index named "main". i went back to the Setup --> Websites page expecting to see the new site in the "Available host and source combinations" section and it was not there. Only the initial site I setup is listed there. Additionally, when I search for tag=web from within the App it only shows me the data from the first site. If I run the same search outside of the App it doesn't return anything.
I could sure use a little help here. 🙂
I suspect you imported the new data under a different sourcetype than "iis". The
tag=web search will only search for the predefined sourcetypes access_combined, access_common and iis. Can you doublecheck what sourcetype you are using?
Run this search for all time:
and look at the sourcetypes and try and identify the new website data.
If they have a different sourcetype you can follow the steps outlined in the documentation on the very first paragraph:
Look in the documentation under the very first paragraph:
1. Import web server log data
The Splunk App for Web Analytics currently supports data from Apache and IIS logs. Make sure you use the sourcetype access_common, access_combined or iis for this data. If you already have data in Splunk under a different sourcetype you can use sourcetype renaming or by modifying the eventtype web-traffic to include the names of your sourcetypes.
In the actual documentation page there are links directly to the settings that needs to be modified to use a different sourcetype. I recommend the sourcetype renaming approach.
Let me know how you get along.
First, determine if the data loaded and if so where it went.
Run the following searching
index=* host= and set your time picker to all time.
- searching for index=* will determine if the data got loaded under a different index.
- setting the time picker to all time, this will bring back data even if the time is being parsed incorrectly or if the timestamps are old
If the above search returns data, run it again and add a "OR host=" Then compare the differences in the returned data fields for the two data sets and see where they differ.