Getting Data In
Highlighted

IIS Logs & WebIntelligence

Engager

Hi,

I have problem on getting webintelligence app work.

I am running splunk-5.0 on CentOS and installed webintelligence app. I am running UF in windows-2008R2 to forward IIS logs to my splunk box. The inputs.conf at Windows is:

[monitor://C:\inetpub\logs\LogFiles\*\*.log] 
disabled = false 
index=webintelligence
sourcetype=iis

The webintelligence index has been created and the IIS logs are appearing in Splunk with sourcetype as "iis-2". From the webintelligence setup menu I have specified "index=webintelligence" under "Specify log sources" section (when doing preview I can see the IIS logs). But when I browse to webintelligence app I am not getting any results.

I have the following settings in /opt/splunk/etc/system/local/transforms.conf

[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue

[iis-2]
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken

I have the following settings in /opt/splunk/etc/system/local/props.conf

[iis-2]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iis-2 = iis-2
TRANSFORMS-removecomments = removecomments

Is there any other changes required?

Thank you.

  • Sathish.
Tags (1)
Highlighted

Re: IIS Logs & WebIntelligence

Path Finder

The only difference with mine is that in my props.conf on the indexer, I have these two set (differently than yours):

CHECK_FOR_HEADER = False
TZ = UTC

I also have this entry in the props.conf on the client UF, but I think it is not needed/used:

[source::(?i)...\\inetpub\\logs\\u*.log]
0 Karma
Highlighted

Re: IIS Logs & WebIntelligence

Engager

Hi,

I made changes to props.conf to similar to your settings (above 2). But the webintelligence app not displaying any output. From the webintelligence search, if I search for the following queries I get results.

csUserAgent="Mozilla/5.0+(X11;+Linux+x8664;+rv:15.0)+Gecko/20100101+Firefox/15.0"
cs_version="HTTP/1.1"
eventtype=web-traffic
eventtype="pageview"

Another problem is that wisummary* indexes contain no events. I dont know where I am making mistakes!

Thank you.

Best,
Sathish.

0 Karma
Highlighted

Re: IIS Logs & WebIntelligence

Path Finder

I am not familiar with that app, so I can't say for sure... The summary index may get fed by something you have to enable in the app configuration. If you see the data from your logs get into the index called webintelligence (do a simple search 'index=webintelligence' for the past 24 hours or whatever you think is good to see data), then your data is flowing into Splunk OK. The app may have special filters and queries that expect data certain way - you can either look at its configs and try to see what it expects, post them here or maybe contact Splunk Support, depending on your comfort level.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.