The search is being performed directly from the splunk search bar against an apache_combined sourcetype file. The count is returned just fine but the field11 is not for my colleagues. I also have a dashboard for this query and it is setup for 'App' sharing and that experiences the same issue. ... View more

Thank you for the response Rich. I asked our Splunk Admin to compare my roles with my co worker to ensure we both have same access for objects - indexes, extracted/calculated fields, etc I asked my co-worker to search in 'Verbose' mode as well, but that had the same problem with field11 not returning anything. I'll post here what my Splunk Admin comes back with after he compares our roles ... View more

hello jbjerke, yes, i understand it is log file not conforming to the what the app expects. in my last comment i was simply stating that the 2nd part of the spl is satisfied due to missing fields. currently in my props.conf i'm converting the apache_combined to access_combined and that is not populating all the fields the app expects. I will take your suggestion of converting to apache:access and let you know how things turn out. below is the first line of my props.conf and i'll change it now, delete records from index and reload the log files to see what happens [t-splunk@lgtisplunk1 default]$ cd /apps/splunk/etc/users/admin/SplunkAppForWebAnalytics/local/ [t-splunk@lgtisplunk1 local]$ cat props.conf Added this -- first thing rename the apache_combined source to access_combined as application request it. [apache_combined] rename = access_combined ... View more

Hello jbjerke, Thank you for responding. Initially my record's eventtype had "non-pageview" associated with it not "pageview" what the generate user session search was requesting. I viewed the file SplunkAppForWebAnalytics/default/eventtypes.conf file and found how the two fields are getting assigned [pageview] search = eventtype=web-traffic status=200 NOT (eventtype=web-uri-nonpage OR eventtype=ua-bot OR eventtype=exclude-pageview OR eventtype=clientip-internal) (http_method=GET OR NOT http_method=*) [non-pageview] search = eventtype=web-traffic eventtype!=pageview my problem was that 'status' was not extracted for me so that is why non-pageview was being assigned to the eventtype. i created an extraction rule to have 'status' extracted. i deleted records from my apache.log and from the associated index, then i reloaded records back into my apache.log which populated my index again. Now, the eventtype was correct as 'status' was found. then i tried to generate user sessions again, it made it past this first part, but then failed on the 2nd part of the spl 1st part-- search (eventtype=pageview site=*) | eval time='time', http_referer=(('_time' . "") . http_referer), http_referer_domain=(('time' . "") . http_referer_domain), http_referer_hostname=(('time' . "") . http_referer_hostname) | fields + time, time, http_referer, http_referer_domain, http_referer_hostname, site, clientip, http_user_agent, http_request | transaction site clientip http_user_agent maxpause=30m maxspan=4h keepevicted=f | eval user=md5(((clientip . "") . http_user_agent)), http_session=md5(((((clientip . "") . http_user_agent) . "") . '_time')) 2nd part-- | stats first(site) as site,first(user) as user, first(time) AS http_session_start, last(time) AS http_session_end,count(http_request) AS http_session_pageviews,first(duration) as http_session_duration,first(http_referer) as http_session_referrer,first(http_referer_domain) as http_session_referrer_domain,first(http_referer_hostname) as http_session_referrer_hostname by time,http_session | search user=* | eval http_session_referrer=replace(http_session_referrer,"^[0-9]*",""), http_session_referrer_domain=if((http_session_referrer == "-"),"-",replace(http_session_referrer_domain,"^[0-9]_","")), http_session_referrer_hostname=if((http_session_referrer == "-"),"-",replace(http_session_referrer_hostname,"^[0-9]_","")) | lookup WA_channels Hostname AS http_session_referrer_hostname OUTPUT Channel AS http_session_channel | eval http_session_channel=if((http_session_referrer == "-"),"Direct",if(like(site,("%" . http_session_referrer_domain)),"Direct",if((isnull(http_session_channel) AND isnotnull(http_session)),"Referal",http_session_channel))) | ifields + acceleration, datamodel_update_time, count, _time, site, user, http_session, http_session_start, http_session_end, http_session_pageviews, http_session_duration, http_session_referrer, http_session_referrer_domain, http_session_referrer_hostname, http_session_channel | outputlookup WA_sessions createinapp=true *** Note -- I will try what you suggested next and let you know how things go... ... View more

i got a bit further today and now at the point of where records are being selected initially for generate user sessions, but then fail on this part of the spl. I think my big issue at this point is that many of the fields listed below are not present in my index of records -- These records i exported from my enterprise splunk as raw, they were initially apache_combined but i rename the sourcettype to access_combined in my local props.conf. this rename appears to work fine. the area i need assistance with is the mapping that is in my "/local/props.conf" many of the fields are not mapping across and that is causing things not to work. stats first(site) as site,first(user) as user, first(time) AS http_session_start, last(time) AS http_session_end,count(http_request) AS http_session_pageviews,first(duration) as http_session_duration,first(http_referer) as http_session_referrer,first(http_referer_domain) as http_session_referrer_domain,first(http_referer_hostname) as http_session_referrer_hostname by time,http_session | search user=* | eval http_session_referrer=replace(http_session_referrer,"^[0-9]*",""), http_session_referrer_domain=if((http_session_referrer == "-"),"-",replace(http_session_referrer_domain,"^[0-9]_","")), http_session_referrer_hostname=if((http_session_referrer == "-"),"-",replace(http_session_referrer_hostname,"^[0-9]_","")) | lookup WA_channels Hostname AS http_session_referrer_hostname OUTPUT Channel AS http_session_channel | eval http_session_channel=if((http_session_referrer == "-"),"Direct",if(like(site,("%" . http_session_referrer_domain)),"Direct",if((isnull(http_session_channel) AND isnotnull(http_session)),"Referal",http_session_channel))) | ifields + acceleration, datamodel_update_time, count, _time, site, user, http_session, http_session_start, http_session_end, http_session_pageviews, http_session_duration, http_session_referrer, http_session_referrer_domain, http_session_referrer_hostname, http_session_channel | outputlookup WA_sessions createinapp=true** ... View more

hi grijhwani yes i am the adminstrator for our splunk sandbox and do have command line access as well. The System Admin who manages the linux VM that will push into my Splunk instance said he was seeing firewall issues. On my splunk instance, do i need to start any listeners or anything like that on ports 8088 and 9997? ... View more

thank you all ... View more