I made changes to props.conf to similar to your settings (above 2). But the webintelligence app not displaying any output. From the webintelligence search, if I search for the following queries I get results.
Another problem is that wisummary* indexes contain no events. I dont know where I am making mistakes!
... View more
I have problem on getting webintelligence app work.
I am running splunk-5.0 on CentOS and installed webintelligence app. I am running UF in windows-2008R2 to forward IIS logs to my splunk box. The inputs.conf at Windows is:
disabled = false
The webintelligence index has been created and the IIS logs are appearing in Splunk with sourcetype as "iis-2". From the webintelligence setup menu I have specified "index=webintelligence" under "Specify log sources" section (when doing preview I can see the IIS logs). But when I browse to webintelligence app I am not getting any results.
I have the following settings in /opt/splunk/etc/system/local/transforms.conf
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken
I have the following settings in /opt/splunk/etc/system/local/props.conf
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iis-2 = iis-2
TRANSFORMS-removecomments = removecomments
Is there any other changes required?
... View more