Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk app for Web Intelligence : missing saved search?

chrispayne
Engager
‎08-26-2011 07:50 AM

I installed the beta web intelligence app and I'm trying to load data and check it out. I've run the backfill scripts and I'm making headway... but I can't find the savedsearch "Sourcenames Lookup". Where should i find it? Can someone post it?

thanks

Reply
1 Solution
Solved! Jump to solution
Solution

Archana
Splunk Employee
Splunk Employee
‎08-27-2011 10:27 PM

The search is:

eventtype=web-traffic | stats count by source | eval sourcename=" " | inputlookup append=t sourcenames.csv | stats last(sourcename) as sourcename by source | outputlookup sourcenames.csv

Have you configured the log sources (analogous to splunk source field) for the app?

What does your eventtype "web-traffic" contain?

View solution in original post

Reply
Solved! Jump to solution
Solution

Archana
Splunk Employee
Splunk Employee
‎08-27-2011 10:27 PM

The search is:

eventtype=web-traffic | stats count by source | eval sourcename=" " | inputlookup append=t sourcenames.csv | stats last(sourcename) as sourcename by source | outputlookup sourcenames.csv

Have you configured the log sources (analogous to splunk source field) for the app?

What does your eventtype "web-traffic" contain?

Reply
Solved! Jump to solution

gjfrater
Engager
‎08-29-2011 09:21 AM

Thanks Archana.

Just to clarify for others, the search has to be run from inside the Web Intelligence App. The 'web-traffic' eventtype is not defined in the standard search app.

Reply
Solved! Jump to solution

gjfrater
Engager
‎08-26-2011 09:22 AM

Hi Chris,

As I understand the documentation, the savedsearch is run from the search window in the UI.

From http://docs.splunk.com/Documentation/WebIntel/latest/User/Definingsitesources:

First, run the saved search called
"Sourcenames Lookup" to populate the
lookup table. You can run this search
from the Search view:

| savedsearch "Sourcenames Lookup"

However, when I run it I get no results, not sure what the problem is...anyone have an idea why or what to try next?

Thanks,

-greg

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...