All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

web intelligence app - source not matching

mnaina
Explorer
‎04-04-2013 03:09 AM

Installed universal forwader and added the following stanza in inputs.conf file [C:\Program Files\SplunkUniversalForwarder\etc\system\default]

[monitor://C:inetpublogsLogFiles]

disabled = false

followTail = 0

sourcetype=iis

Realtime Bus and Realtime Ops are woring in web intelligence app, because it use 'eventype' instead of 'source' .

But when I ran Report Bus and Report Ops it shows no results found.

If I run this qurey timerange_hack source="User session browser stats*" - No results found

Like the following sources also have no data

  • source="User session visitor source*"

source="User session demographics*"

source="Referer category*"

source="User session browser stats*"

source="Web Traffic badstatus fivemin summary*

source ="Web Traffic by host"

Backfilling done for 10 days.

What is missing and how to link the 'source'to the data?

Thanks all

0 Karma
Reply

mnaina
Explorer
‎04-04-2013 08:18 AM

Thanks Mick for your help

Stanza I mentioned above is wrong, Sorry

Splunk instance is collecting data from the web server.

The actual stanza I wrote on input.con file is

  • [monitor://C:\inetpub\logs\LogFiles] original {d:\iislog\LogFiles}

disabled = false

followTail = 0

sourcetype=iis

Actually problem is backfilling not done properly.

Now everything is working.

Thanks

0 Karma
Reply

Mick
Splunk Employee
Splunk Employee
‎04-04-2013 07:19 AM

After enabling any input, it's important that you verify that you actually have data coming into your Splunk instance from that source. In this instance, I suspect that your original input stanza is not working because you're missing a \ in your monitor spec, i.e.

 [monitor://C:inetpublogsLogFiles]

Should be:

[monitor://C:\inetpublogsLogFiles]

Once this is corrected and you have restarted your instance, you can verify if you're getting data simply by running the search "source=C:\inetpublogsLogFiles*"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...