Getting Data In
Highlighted

Splunk App for Web Intelligence: what should column names be for IIS log data?

Explorer

I'm having a problem getting web intel app showing any results. I've investigated a bit, and think the problem is the column names I used.

This is what I currently have set:

iislogs

FIELDS = "date", "time", "ssiteName", "scomputername", "destip", "httpmethod", "uristem", "uriquery", "destport", "user", "srcip", "httpuseragent", "httpcookie", "httpreferrer", "desthost", "httpresponse", "httpsubresponse", "scwin32Status", "bytesout", "bytes_in", "duration"

DELIMS = " "

What column names does web intel expect me to have?

0 Karma
Highlighted

Re: Splunk App for Web Intelligence: what should column names be for IIS log data?

Explorer

Figured it out. For anyone else who wants a fix for this:

1) navigate to Manager » Fields » Field aliases

2) Click on each alias, and add a new alias

View solution in original post

Highlighted

Re: Splunk App for Web Intelligence: what should column names be for IIS log data?

Explorer

What aliases did you add?

Highlighted

Re: Splunk App for Web Intelligence: what should column names be for IIS log data?

Path Finder

Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer" 
0 Karma