All Apps and Add-ons

Splunk for web analytics subsite

Path Finder

So after fumbling around and getting the Splunk for Web Analytics app working, we were asked to make the sites base off the first part of the path of the URI.

For example we have and
These logs come from the same IIS server and the same log, but they want to treat these like 2 different sites.

I tried modifying the generate sessions and generate pages to include the first part of the uri as the site and then added both sites to the website page:

     Site                   Host            Source
1 C:\LogFiles\WebLogs\*.log
2 C:\LogFiles\WebLogs\*.log
3 C:\LogFiles\WebLogs\*.log

This is the logic I added to the Generate Sessions and pages to make the first part of the path part of site:

| rex field=http_request "(?<sub_site>\/[^\/]+)(?<mod_request>\/.*)$" 
| fillnull sub_site value=""| eval site=site+sub_site 
| eval http_request=if(isnull(mod_request), http_request, mod_request)

But then all 3 sites seem to have the same stats and nothing really appears when I try to select any of them in any of the dashboards.

Beside having these sites put into separate log files is there any other way I can have multiple sites split out from the same host/log sources?

Thank you,

0 Karma

Splunk Employee
Splunk Employee

Hi Brian

I have not tried this myself but I believe it would work if you manually change the configuration for the wa_settings.csv lookup so it adds the site to each event based on your new rules. There is an automatic lookup that does this.

First do a field extraction to extract that part of the path in the menu Settings->Fields - you have called it sub_site in your example above. Then modify the auto lookup to add the site field based on this new field rather than the host and source which is the default setting.

Let me know how you get along.


0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...