Getting Data In

sourcenames

evosplunk
Path Finder

So as far as i can understand, you can define a common sourcename for several sourcetypes

I am using the webintelligence beta app, and this generates a sourcenames.csv file in /splunk/etc/apps/webintelligence/lookups

this looks like this:

source,sourcename
"/var/log/apache2/access.log","sourcename"

But when i search for "sourcename" i does not find anything

What am i missing? i'm feeling ive read the manual on webintelligence and i cannot find any more info on this

Thanks!

Tags (1)
0 Karma

pstout
Splunk Employee
Splunk Employee

If you want to search for a particular sourcename, use

eventtype=web-traffic | lookup sourcenames.csv source outputnew sourcename | search sourcename="<SOURCENAME_TO_SEARCH>"

Sourcename is not in the original event data so you must enrich the data through the lookup table.

Keep in mind you'll need to be within the web intelligence app as neither the lookup nor eventtype have global visibility.

0 Karma

evosplunk
Path Finder

Sorry, vorcast is a site, the sourcetype=vorcast* is a apache access and error log, they are defined in splunk as vorcast_access and vorcast_error so sourcetype=vorcast* shows all of that in a search, i see that it works.
searches for access_combined etc also show results.

The site in questions logs to its own log files.

0 Karma

pstout
Splunk Employee
Splunk Employee

That source might be the product of a summary index saved search. You shouldn't have to change the sources that are predefined.

Not sure what sourcetype="vorcast" is. The web intelligence app should be looking for Apache access_combined or Microsoft IIS logs. These should be sourcetype="access_combined" or sourcetype="iis"

If you open your search app, can you get results for any of the following searches?

sourcetype="access_combined"

sourcetype="access_common"

sourcetype="iis"

0 Karma

evosplunk
Path Finder

For instance, this search ReportOps - Top URI By Good Status
sounds like this:

timerange_hack source="Web Traffic goodstatus*" | eval status=toString(floor(status/100))+"xx" | stats values(myclientip) as myips sum(hits) as myhits by uri, status | mvexpand myips | stats dc(myips) as "unique ips" max(myhits) as "total count" by uri, status

What is the source in this? where is that source defined? Am i supposed to change it?

0 Karma

evosplunk
Path Finder

I just put in
sourcetype="vorcast*"
ive defined the sourcetype in index before, theres a preview button there, and that shows me that it finds something based on my search.

Thank you very much for helping me understand this btw, much appreciated!

0 Karma

pstout
Splunk Employee
Splunk Employee

In that box, you should put something like:

index="main" sourcetype="access_combined"

Of course, replace the index and sourcetype with actual values from your instance.

0 Karma

evosplunk
Path Finder

Maybe i just misunderstand the setup

None of teh dashboards show anything, ive gone through the setup process, and i have specified one apache access log and one error log for testing.

Ive not made changes to the stock searches, am i supposed to?

0 Karma

pstout
Splunk Employee
Splunk Employee

Have you gone through the setup process?

/en-US/app/webintelligence/setup

Particularly #3 -- "Specify Log Sources." It's been some time since I configured the app for web intelligence but this would certainly impact the population of the bundled dashboards.

If so, do other dashboards populate? Do you get any error messages? Have you made any changes to the saved searches or eventtypes defined in the stock WI app?

0 Karma

evosplunk
Path Finder

Im just trying to get the en-US/app/webintelligence/business_pageviews etc (pre defined searches) to show somehting, they are not. alhtough the search you provided works well.

0 Karma

pstout
Splunk Employee
Splunk Employee

Where are you searching? I'm using this URI:

http://splunk-server:port/en-US/app/webintelligence/flashtimeline

You can't just use the sourcename in the query without first specifying the lookup table as I mentioned above using the "lookup" command. The field does not exist before this.

0 Karma

evosplunk
Path Finder

But all the searches form within webinteligence doesnt return any results with the searches like

search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily") ] source="User session visitor source*" sourcename="vorcast.org" | timechart eval(sum(myeventcount)) AS pageviews, dc(clientip) AS unique_visitors, eval((sum(myeventcount))/dc(clientip)) AS avg_pageviews

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...