All Apps and Add-ons

Splunk for web analytics subsite

bkirk
Path Finder

So after fumbling around and getting the Splunk for Web Analytics app working, we were asked to make the sites base off the first part of the path of the URI.

For example we have www.example.com/abc and www.example.com/xyz.
These logs come from the same IIS server and the same log, but they want to treat these like 2 different sites.

I tried modifying the generate sessions and generate pages to include the first part of the uri as the site and then added both sites to the website page:

     Site                   Host            Source
1   www.example.com     example.com C:\LogFiles\WebLogs\*.log
2   www.example.com/abc example.com C:\LogFiles\WebLogs\*.log
3   www.example.com/xyz example.com C:\LogFiles\WebLogs\*.log

This is the logic I added to the Generate Sessions and pages to make the first part of the path part of site:

| rex field=http_request "(?<sub_site>\/[^\/]+)(?<mod_request>\/.*)$" 
| fillnull sub_site value=""| eval site=site+sub_site 
| eval http_request=if(isnull(mod_request), http_request, mod_request)

But then all 3 sites seem to have the same stats and nothing really appears when I try to select any of them in any of the dashboards.

Beside having these sites put into separate log files is there any other way I can have multiple sites split out from the same host/log sources?

Thank you,
Brian

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi Brian

I have not tried this myself but I believe it would work if you manually change the configuration for the wa_settings.csv lookup so it adds the site to each event based on your new rules. There is an automatic lookup that does this.

First do a field extraction to extract that part of the path in the menu Settings->Fields - you have called it sub_site in your example above. Then modify the auto lookup to add the site field based on this new field rather than the host and source which is the default setting.

Let me know how you get along.

j

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...