All Apps and Add-ons

site value is not populating in SAWA 2.1.0 SplunkEnterprise 7.0.3

Path Finder

I somehow got this to work on SAWA 1.7 months and months ago.
This time around I can not get site to populate.
[it seems like maybe the automatic lookup is not working;iis : LOOKUP-site, or the field alias iis : FIELDALIAS-host/cs_host AS host]

I have resorted to the test data in samples iis.log

Does any one know if this website config will work for the test data? or any other pointers?
key value source host
site testcom-some-concept iis.log

I tried to look very closely at the websites setup page;
"The "site" fields should match your domain name, i.e. ""."
So I tried setting the value to a similar value to cs_host for the test data; ""

key value source host
site iis.log
this is not working either

I've got the test data targeted as such:
eventtype=pageview site=* earliest=1536570057 latest=1536572457.001
does not work
eventtype=pageview earliest=1536570057 latest=1536572457.001
does work
tag=web earliest=1536570057 latest=1536572457.001
does work

I think if I can get a generate pages/sessions to work on the test data it should work on the rest of my data?[so that is what I was trying for at this point].

0 Karma
1 Solution

Splunk Employee
Splunk Employee


New version of the app is now live which hopefully solve this issue.

v 2.2.0
- Added an option to use a different data model name than "Web". This caused conflicts with the default CIM datamodel also called Web.
- Made changes to Sites setup dashboard to make it easier.
- Migrated website setup settings to the KV store.
- Added better support for IIS. Now supports ms:iis:auto and ms:iis:default sourcetypes which comes from the official IIS Add-on.
- Updated User agent string parsing to latest version
- Various bug fixes

View solution in original post

0 Karma

Splunk Employee
Splunk Employee


New version of the app is now live which hopefully solve this issue.

v 2.2.0
- Added an option to use a different data model name than "Web". This caused conflicts with the default CIM datamodel also called Web.
- Made changes to Sites setup dashboard to make it easier.
- Migrated website setup settings to the KV store.
- Added better support for IIS. Now supports ms:iis:auto and ms:iis:default sourcetypes which comes from the official IIS Add-on.
- Updated User agent string parsing to latest version
- Various bug fixes

0 Karma

Path Finder

Splunk Common Information Model Splunk_SA_CIM 4.7.0

0 Karma

Path Finder

Everything is appearing to line up; after gettting jbjerke · Mar 21 at 06:57 AM Props deployed from here;

0 Karma

Path Finder

...Got reemed out by Enterprise "X" Management for breaking their iis "compliance" alerts, but gosh darnit we got SAWA up; ...end-users are just resorting to adhoc dashboards.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...