I'm working on building the lookups and data model for the Splunk App for Web Analytics. I'm supporting an environment with multiple websites (eg roadrunner.acme.com, coyote.acme.com, anvil.acme.com) and lots of web servers (server1, server2, server3, and so on).
I note that the Setup New Website dialog asks for site, host, and source information, and will accept a wildcard for the host field. Two things: in the real world, I might have hundreds of hosts that match a wildcard search (server*), and yet only a few that host roadrunner.acme.com. It would be better if I could name multiple specific hosts for a given website, rather than have to do this through a wildcard; yet the form actually allows the user to input multiple hosts for a given website, but then will not work to build lookups. And if my host naming convention (prior to the *) and log file path are the same for coyote.acme.com, I suspect that will also cause a problem in the app, though I've not gotten that far yet.
Finally, the initial lookup build for "Generate User Sessions," and "Generate pages," is excruciatingly slow, perhaps due to the wildcard search on the host name. Tips for speeding this up in the documentation, or at least a clearer idea of what "a long time," means, would be helpful.
... View more