I have problem on getting webintelligence app work.
I am running splunk-5.0 on CentOS and installed webintelligence app. I am running UF in windows-2008R2 to forward IIS logs to my splunk box. The inputs.conf at Windows is:
[monitor://C:\inetpub\logs\LogFiles\*\*.log] disabled = false index=webintelligence sourcetype=iis
The webintelligence index has been created and the IIS logs are appearing in Splunk with sourcetype as "iis-2". From the webintelligence setup menu I have specified "index=webintelligence" under "Specify log sources" section (when doing preview I can see the IIS logs). But when I browse to webintelligence app I am not getting any results.
I have the following settings in /opt/splunk/etc/system/local/transforms.conf
[removecomments] REGEX = ^\#.* DEST_KEY = queue FORMAT = nullQueue [iis-2] DELIMS = " " FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken
I have the following settings in /opt/splunk/etc/system/local/props.conf
[iis-2] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = true TZ = GMT REPORT-iis-2 = iis-2 TRANSFORMS-removecomments = removecomments
Is there any other changes required?
The only difference with mine is that in my props.conf on the indexer, I have these two set (differently than yours):
CHECK_FOR_HEADER = False TZ = UTC
I also have this entry in the props.conf on the client UF, but I think it is not needed/used:
I made changes to props.conf to similar to your settings (above 2). But the webintelligence app not displaying any output. From the webintelligence search, if I search for the following queries I get results.
Another problem is that wisummary* indexes contain no events. I dont know where I am making mistakes!
I am not familiar with that app, so I can't say for sure... The summary index may get fed by something you have to enable in the app configuration. If you see the data from your logs get into the index called webintelligence (do a simple search 'index=webintelligence' for the past 24 hours or whatever you think is good to see data), then your data is flowing into Splunk OK. The app may have special filters and queries that expect data certain way - you can either look at its configs and try to see what it expects, post them here or maybe contact Splunk Support, depending on your comfort level.