All Apps and Add-ons

Web Intelligence - No Results found with customized sourcetype

starndawn
New Member

The sourcetype is customized, not default access_combined/access_custom format. I can preview the data after setting the sourcetype in setup page. But the dashboard returns "No Results found". Can web intelligence only work in default sourcetype access_combined? The "data exploration -> search " can return result even I don't point out the sourcetype in the query. Thanks.

0 Karma

MartinHarper
Path Finder

If you have a customized web log format, you may need to use Field Extraction to get the fields out of the log, depending on what your log looks like (can you tell us?).

Once you have extracted the fields, depending on how they are extracted, you may need to use Field Alias to make sure the fields are named correctly. Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer" 
0 Karma

starndawn
New Member

so it looks like the web intelligence doesn't work with customized web log format, doesn't it?

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Please take a look at the following:

http://splunk-base.splunk.com/answers/34974/no-results-found-using-web-intelligence-app

http://splunk-base.splunk.com/answers/48239/web-intelligence-app-empty

The one thing I can think is the format of your sourcetype needs to match the expected access logs.

http://httpd.apache.org/docs/2.2/logs.html

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...