All Apps and Add-ons

splunk app for web analytics - User session data is not showing

New Member

Hi ,

splunk app for web analytics -sourcetype configuration : recently,all webserver IIS logs have been configured with "ms:iis:auto" sourcetype from "iis". After this configuration change this app was not working properly . As per documentation, i have included new sourcetype in the event type "web-traffic" and selected generated user sessions & generate pages then data model acceleration changes but no luck.
even I have added this sourcetype field extraction properties in the props.conf file location of this app but issue not fixed.

Can any one suggest/guide me configuration steps to generate session data with sourcetype "ms:iis:auto"


0 Karma

Splunk Employee
Splunk Employee

Hi splunkselva

Edit the default props.conf and copy the stanza [iis] into a new local props.conf [ms:iis:auto]

You also need to edit the eventtype definitions in eventtype.conf.

Let me know how you get along.


0 Karma

New Member

Hi jbjerke,

Thanks for reply. I have added ms:iis:auto sourcetype configuration in props.conf file (in local folder) and eventtype definition configuration also updated in eventtype.conf file. But session data is not fetching in any of the dashboards. Also I have noticed this issue for other inbuilt (apache:access) sourcetype as well.

ms:iis:auto sourcetype configuration in props.conf
EXTRACT-http_referer_domain = https?:\/\/(?[^/]+) in cs_Referer
EVAL-http_referer = if(isnull(cs_Referer),"-",cs_Referer)
FIELDALIAS-cs_username = cs_username as user
FIELDALIAS-cs_User_Agent = cs_User_Agent as http_user_agent,cs_User_Agent_ as http_user_agent
FIELDALIAS-cs_uri_stem = cs_uri_stem as uri_path
FIELDALIAS-cs_uri_query = cs_uri_query as uri_query
FIELDALIAS-TimeTakenMS = TimeTakenMS as duration, TimeTakenMS as response_time, time_taken as duration, time_taken as response_time
FIELDALIAS-sc_status = sc_status as status
FIELDALIAS-s_sitename = s_sitename as site
FIELDALIAS-s_ip = s_ip as dest_ip, s_ip as dest, s_ip as dvc
FIELDALIAS-s_port = s_port as http_port, s_port as dest_port, s_port as port
FIELDALIAS-s_computername = s_computername as host
FIELDALIAS-RequestsPerSecond = RequestsPerSecond as hits_per_second
FIELDALIAS-cs_Referer = cs_Referer as http_referrer, cs_Referer_ as http_referrer, cs_Referer as http_referer, cs_Referer_ as http_referer
FIELDALIAS-cs_method = cs_method as http_method
FIELDALIAS-cs_Cookie = cs_Cookie as cookie, cs_Cookie_ as cookie
FIELDALIAS-c_ip = c_ip as src_ip, c_ip as src
FIELDALIAS-sc_bytes = sc_bytes as bytes_out
FIELDALIAS-cs_bytes = cs_bytes as bytes_in

EXTRACT-file = .*/ in cs_uri_stem

EXTRACT-file = (?\w+(?:.\w+)+$) in cs_uri_stem

Global properties, applied to all sourcetypes for the app

EXTRACT-http_locale = (?i)^(?:[^;\n]*;){3}\s+(?P[a-z]{2}(|[-][a-z]{2}));
EVAL-file = if(match(file,"."),file,NULL)
EVAL-http_channel = if(http_referer="-","Direct", if(like(http_referer_domain,"%".site."%","Direct", if(isnull(http_channel), "Referal", http_channel)))
EVAL-http_referer_domain = replace(http_referer_domain, "http(s|):\/\/", "")
EVAL-http_referer_hostname = replace(replace(replace(http_referer_domain, "http(s|):\/\/", ""), "^(www|m|uk|r|l|tpc|lm).+", ""), "(.{1}[a-zA-Z]+)", "")
EVAL-user = md5(clientip."
LOOKUP-2_Channels = WA_channels Hostname AS http_referer_hostname OUTPUT Channel AS http_channel
LOOKUP-site = WA_settings source AS source host AS host OUTPUTNEW value AS site

eventtype definition configuration in eventtypes.conf file
search = sourcetype="aws:cloudfront:accesslogs" OR sourcetype="apache:access" OR sourcetype="iis" OR sourcetype="ms:iis:auto" OR sourcetype="access_combined" OR sourcetype="access_common" OR sourcetype="access_combined_wcookie"


0 Karma


Hi splunkselva,

When you run eventtype=web-traffic, are you getting data with sourcetype=ms:iis:auto?

0 Karma

New Member

Hi guvrav,

Thanks for reply...Yes, i am getting data with "ms:iis:auto" sourcetype. But traffic analytic center dashboard only showing results not other dashboards

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...