Hi guys, I'm almost finished with a new version that has better support for ms:iis:* sourcetypes and a feature where you can select your own datamodel name. This is configured in a macro provided with the app. You can look at the source for this here: https://github.com/johanbjerke/SplunkAppForWebAnalytics This is the unpackaged version of the app so there are files in the local folders etc. Use at your own risk 🙂 Estimated release in end May or early June. johan ... View more

Hi guys, I'm almost finished with a new version that has better support for ms:iis:* sourcetypes and a feature where you can select your own datamodel name. This is configured in a macro provided with the app. You can look at the source for this here: https://github.com/johanbjerke/SplunkAppForWebAnalytics This is the unpackaged version of the app so there are files in the local folders etc. Use at your own risk 🙂 johan ... View more

Hi GDustin Reach out to me via email and I can help you out. It's my firstname and then splunk.com. Simple Just doing some development work on the app right now. johan ... View more

Hi kmower I think you are misunderstanding the concept of the file field in relation to this app. This field is a search time extraction that happens inside Splunk. There is no need to re-configure the iis server logs to include this field. The file field comes from an extraction based on the cs_uri_stem field which contains the requested resource including the file. j ... View more

Hi You should be able to use the props above for any sourcetype name, iis or ms:iis:auto. Just make sure the naming lines up between the actual logs, the inputs, the props and the eventtypes. I'm the author of the app and I will improve the support in the next version. We are looking at a May 2019 release. Sorry for the iis neglect! j ... View more

Hi guys The KVstore cleans itself out whenever it add new sessions every 10 minutes in the scheduled search. No need to do anything at all. This process is described in the docs for the app. j ... View more

It might be possible to use the sourcetype rename in the app context of Splunk App for Web Analytics only. This way all your old dashboard would still use the original sourcetype. j ... View more

Hi I am working on support for this sourcetype and it will be available in the next version. In the meantime I have this props.conf stanza available. [ms:iis:auto] CHARSET=UTF-8 INDEXED_EXTRACTIONS=w3c MAX_TIMESTAMP_LOOKAHEAD=32 SHOULD_LINEMERGE=false category=Web description=W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server detect_trailing_nulls=auto pulldown_type=true EXTRACT-http_referer_domain = https?:\/\/(?<http_referer_domain>[^/]+) in cs_Referer EVAL-http_referer = if(isnull(cs_Referer),"-",cs_Referer) FIELDALIAS-clientip = c_ip AS clientip FIELDALIAS-cookie = cs_Cookie AS cookie FIELDALIAS-http_user_agent = cs_User_Agent AS http_user_agent FIELDALIAS-bytes = cs_bytes AS bytes #FIELDALIAS-host = cs_host AS host EVAL-host = coalesce(cs_host,cs_Host,host) FIELDALIAS-http_method = cs_method AS http_method FIELDALIAS-uri_query = cs_uri_query AS uri_query FIELDALIAS-cs_uri_stem = cs_uri_stem AS uri FIELDALIAS-uri = cs_uri_stem AS http_request FIELDALIAS-user = cs_username AS user FIELDALIAS-version = cs_version AS version FIELDALIAS-status = sc_status AS status FIELDALIAS-response_time = time_taken AS response_time #EXTRACT-file = .*[/](?<file>.+\.\w+) in cs_uri_stem EXTRACT-file = (?<file>\w+(?:\.\w+)+$) in cs_uri_stem #Global properties, applied to all sourcetypes for the app EXTRACT-http_locale = (?i)^(?:[^;\n]*;){3}\s+(?P<http_locale>[a-z]{2}(|[-_][a-z]{2})); EVAL-file = if(match(file,"\."),file,NULL) EVAL-http_channel = if(http_referer="-","Direct", if(like(http_referer_domain,"%".site."%","Direct", if(isnull(http_channel), "Referal", http_channel))) EVAL-http_referer_domain = replace(http_referer_domain, "http(s|):\/\/", "") EVAL-http_referer_hostname = replace(replace(replace(http_referer_domain, "http(s|):\/\/", ""), "^(www|m|uk|r|l|tpc|lm)\.+", ""), "(\.{1}[a-zA-Z]+)", "") EVAL-user = md5(clientip."_".http_user_agent) LOOKUP-2_Channels = WA_channels Hostname AS http_referer_hostname OUTPUT Channel AS http_channel LOOKUP-site = WA_settings source AS source host AS host OUTPUTNEW value AS site You also need to modify the eventtypes.conf to refefence this sourcetype [web-traffic] search = sourcetype="aws:cloudfront:accesslogs" OR sourcetype="apache:access" OR sourcetype="iis" OR sourcetype="access_combined" OR sourcetype="access_common" OR sourcetype="access_combined_wcookie" OR sourcetype="ms:iis:auto" ... View more

Hi I will incorporate a way to define your own DM name in the next release to avoid this conflict. The changes made to the Web datamodel for this app are quite specific to web analytics so not sure the standard Web datamodel is the perfect fit. I will keep the community posted on the progress. j ... View more

Hi You can rename the datamodel in the app to something else so it is not conflicting and change all references to the datamodel in each saved search and dashboard. The app uses CIM naming convention in the Web datamodel but extended it with an additional 10 fields or so. j ... View more

Ok so, the searches are being stripped from answer. index = myindex="widget_a" | eventstats dc(chunk) as number_of_chunk_values_returned | streamstats count | where count<number_of_chunk_values_returned The streamstats command creates a rowcount that you can use to filter with the where command. You cannot have dynamic values in the head command so it would not be helpful in this instance. j ... View more

Hi I think you need to do something like this index = myindex="widget_a" | eventstats dc(chunk) as number_of_chunk_values_returned | streamstats count | where count ... View more

The right way to do this is to use the header_field option for the transpose command | transpose header_field=Key ... View more

Hi dariopis No, only wildcards. You can use * or ? to replace multiple or single characters. You could have two lines that both refers to the same same site: vlp054*, siteA vlp055*, siteA j ... View more

Hi splunkselva Edit the default props.conf and copy the stanza [iis] into a new local props.conf [ms:iis:auto] You also need to edit the eventtype definitions in eventtype.conf. Let me know how you get along. j ... View more

I'm not sure what you mean with "failed" in your example. This error is most likely due to your log file not conforming to what the app expects. Have you tried access_combined and apache:access as sourcetype names? If none of these work you need to make sure all field extractions work. As you can see from the query there are numerous fields that needs to be extracted. Here's some examples: status file http_request http_referer You can look in props.conf for more examples. You can also check the Web datamodel. j ... View more

Hi dchima The problem is most likely due to fields not being extracted correctly. The most important ones for the eventtype=pageview to work is "file". Check if you have this field correctly extracted. If not, try and fix this extraction. As you can define whichever log format you want with Apache and NGINX, it is not guaranteed it will work automatically with your configuration. The app assumes the default one. The app also comes with an alternative configuration for the logs under the sourcetype "apache:access". This might work better for you. This configuration corresponds to the one we have defined in the Add-on for Apache: https://docs.splunk.com/Documentation/AddOns/released/ApacheWebServer/Configure Please also review the troubleshooting steps here: https://splunkbase.splunk.com/app/2699/#/details Let me know how you get along. j ... View more

Hi IIS data can overwrite the host field based on content of the data. Make a search for tag=web for and find out what host field you see and then use this host field instead of the one you see in the setup page. good luck j ... View more

Hi wegscd I'm having the same issue. Did you get anywhere with this? Did you managed to prevent previews somehow? j ... View more

You can try and wrap you search in the map command that dynamically let's you generate another search. This generates an event in the summary index with host=hello set from the outer search. |makeresults count=1 | eval asset_id="hello" | map search=" search index=\"main\" | collect index=scanned_app host=$asset_id$ " j ... View more

Hi Brian I have not tried this myself but I believe it would work if you manually change the configuration for the wa_settings.csv lookup so it adds the site to each event based on your new rules. There is an automatic lookup that does this. First do a field extraction to extract that part of the path in the menu Settings->Fields - you have called it sub_site in your example above. Then modify the auto lookup to add the site field based on this new field rather than the host and source which is the default setting. Let me know how you get along. j ... View more

Hi swipkey Try and run a search "tag=web" in the search bar and check what the host name is for the returned logs. You can also check if the field "site" is already populated. It might actually work even though the Documentation checklist if marking it red. If site fields is not visible, try and copy what you actually see as the host field and paste that into the site setup page. There's also some additional troubleshooting steps at the bottom of the Documentation page. Let me know how you get along. j ... View more

A new version of the app has now been launched which addresses lot of issues and adds new functionality - v.2.0.0 Check it out here: https://splunkbase.splunk.com/app/2699/ ... View more