Archive

web intelligence app - source not matching

Explorer

Installed universal forwader and added the following stanza in inputs.conf file [C:\Program Files\SplunkUniversalForwarder\etc\system\default]


[monitor://C:inetpublogsLogFiles]

disabled = false

followTail = 0

sourcetype=iis


Realtime Bus and Realtime Ops are woring in web intelligence app, because it use 'eventype' instead of 'source' .

But when I ran Report Bus and Report Ops it shows no results found.

If I run this qurey timerange_hack source="User session browser stats*" - No results found

Like the following sources also have no data

  • source="User session visitor source*"

source="User session demographics*"

source="Referer category*"

source="User session browser stats*"

source="Web Traffic badstatus fivemin summary*

source ="Web Traffic by host"

Backfilling done for 10 days.

What is missing and how to link the 'source'to the data?

Thanks all

0 Karma

Explorer

Thanks Mick for your help

Stanza I mentioned above is wrong, Sorry

Splunk instance is collecting data from the web server.

The actual stanza I wrote on input.con file is


  • [monitor://C:\inetpub\logs\LogFiles] original {d:\iislog\LogFiles}

disabled = false

followTail = 0

sourcetype=iis


Actually problem is backfilling not done properly.

Now everything is working.

Thanks

0 Karma

Splunk Employee
Splunk Employee

After enabling any input, it's important that you verify that you actually have data coming into your Splunk instance from that source. In this instance, I suspect that your original input stanza is not working because you're missing a \ in your monitor spec, i.e.

 [monitor://C:inetpublogsLogFiles]

Should be:

[monitor://C:\inetpublogsLogFiles]

Once this is corrected and you have restarted your instance, you can verify if you're getting data simply by running the search "source=C:\inetpublogsLogFiles*"

0 Karma