Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- IIS Logs & WebIntelligence
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IIS Logs & WebIntelligence
Hi,
I have problem on getting webintelligence app work.
I am running splunk-5.0 on CentOS and installed webintelligence app. I am running UF in windows-2008R2 to forward IIS logs to my splunk box. The inputs.conf at Windows is:
[monitor://C:\inetpub\logs\LogFiles\*\*.log]
disabled = false
index=webintelligence
sourcetype=iis
The webintelligence index has been created and the IIS logs are appearing in Splunk with sourcetype as "iis-2". From the webintelligence setup menu I have specified "index=webintelligence" under "Specify log sources" section (when doing preview I can see the IIS logs). But when I browse to webintelligence app I am not getting any results.
I have the following settings in /opt/splunk/etc/system/local/transforms.conf
[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue
[iis-2]
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken
I have the following settings in /opt/splunk/etc/system/local/props.conf
[iis-2]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iis-2 = iis-2
TRANSFORMS-removecomments = removecomments
Is there any other changes required?
Thank you.
- Sathish.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only difference with mine is that in my props.conf on the indexer, I have these two set (differently than yours):
CHECK_FOR_HEADER = False
TZ = UTC
I also have this entry in the props.conf on the client UF, but I think it is not needed/used:
[source::(?i)...\\inetpub\\logs\\u*.log]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not familiar with that app, so I can't say for sure... The summary index may get fed by something you have to enable in the app configuration. If you see the data from your logs get into the index called webintelligence (do a simple search 'index=webintelligence' for the past 24 hours or whatever you think is good to see data), then your data is flowing into Splunk OK. The app may have special filters and queries that expect data certain way - you can either look at its configs and try to see what it expects, post them here or maybe contact Splunk Support, depending on your comfort level.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I made changes to props.conf to similar to your settings (above 2). But the webintelligence app not displaying any output. From the webintelligence search, if I search for the following queries I get results.
cs_User_Agent_="Mozilla/5.0+(X11;+Linux+x86_64;+rv:15.0)+Gecko/20100101+Firefox/15.0"
cs_version="HTTP/1.1"
eventtype=web-traffic
eventtype="pageview"
Another problem is that wi_summary_* indexes contain no events. I dont know where I am making mistakes!
Thank you.
Best,
Sathish.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
