So as far as i can understand, you can define a common sourcename for several sourcetypes
I am using the webintelligence beta app, and this generates a sourcenames.csv file in /splunk/etc/apps/webintelligence/lookups
this looks like this:
source,sourcename
"/var/log/apache2/access.log","sourcename"
But when i search for "sourcename" i does not find anything
What am i missing? i'm feeling ive read the manual on webintelligence and i cannot find any more info on this
Thanks!
If you want to search for a particular sourcename, use
eventtype=web-traffic | lookup sourcenames.csv source outputnew sourcename | search sourcename="<SOURCENAME_TO_SEARCH>"
Sourcename is not in the original event data so you must enrich the data through the lookup table.
Keep in mind you'll need to be within the web intelligence app as neither the lookup nor eventtype have global visibility.
Sorry, vorcast is a site, the sourcetype=vorcast* is a apache access and error log, they are defined in splunk as vorcast_access and vorcast_error so sourcetype=vorcast* shows all of that in a search, i see that it works.
searches for access_combined etc also show results.
The site in questions logs to its own log files.
That source might be the product of a summary index saved search. You shouldn't have to change the sources that are predefined.
Not sure what sourcetype="vorcast" is. The web intelligence app should be looking for Apache access_combined or Microsoft IIS logs. These should be sourcetype="access_combined" or sourcetype="iis"
If you open your search app, can you get results for any of the following searches?
sourcetype="access_combined"
sourcetype="access_common"
sourcetype="iis"
For instance, this search ReportOps - Top URI By Good Status
sounds like this:
timerange_hack
source="Web Traffic goodstatus*" | eval status=toString(floor(status/100))+"xx" | stats values(myclientip) as myips sum(hits) as myhits by uri, status | mvexpand myips | stats dc(myips) as "unique ips" max(myhits) as "total count" by uri, status
What is the source in this? where is that source defined? Am i supposed to change it?
I just put in
sourcetype="vorcast*"
ive defined the sourcetype in index before, theres a preview button there, and that shows me that it finds something based on my search.
Thank you very much for helping me understand this btw, much appreciated!
In that box, you should put something like:
index="main" sourcetype="access_combined"
Of course, replace the index and sourcetype with actual values from your instance.
Maybe i just misunderstand the setup
None of teh dashboards show anything, ive gone through the setup process, and i have specified one apache access log and one error log for testing.
Ive not made changes to the stock searches, am i supposed to?
Have you gone through the setup process?
/en-US/app/webintelligence/setup
Particularly #3 -- "Specify Log Sources." It's been some time since I configured the app for web intelligence but this would certainly impact the population of the bundled dashboards.
If so, do other dashboards populate? Do you get any error messages? Have you made any changes to the saved searches or eventtypes defined in the stock WI app?
Im just trying to get the en-US/app/webintelligence/business_pageviews etc (pre defined searches) to show somehting, they are not. alhtough the search you provided works well.
Where are you searching? I'm using this URI:
http://splunk-server:port/en-US/app/webintelligence/flashtimeline
You can't just use the sourcename in the query without first specifying the lookup table as I mentioned above using the "lookup" command. The field does not exist before this.
But all the searches form within webinteligence doesnt return any results with the searches like
search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily") ] source="User session visitor source*" sourcename="vorcast.org" | timechart eval(sum(myeventcount)) AS pageviews, dc(clientip) AS unique_visitors, eval((sum(myeventcount))/dc(clientip)) AS avg_pageviews