I've tried setting up the WebIntelligence app on my splunk deployment but I'm falling short somewhere since most all of the views report "no results found"
Here's the background on the setup page:
Step 2: N/A web logs are already indexed
Step 3: sourcetype="iis"
If I hit the preview button below Step 3, I get most recent 20 logs from the | head 20 comment. I can remove the "| head 20" and get the data for the last day (or last few months if like, just for argument's sake).
Step 4:
Initially I created a list of IP's to exclude, but I later modified this to be 1.1.1.1 to essentially have no exclusions (I can't leave the field blank). My assumption was that I would tweak this later.
What I find interesting when you click the preview button is that the search is:
sourcetype="iis" clientip=1.1.1.1 | head 20
It's an IP to exclude, but in the preview, it's the only IP address included. This may be by design so that you see the data you will be excluding? In my case, no data, so I modify the search with a NOT operator in front of the clientip and of course see events.
For the referring domain, I again had a valid value initially, but later changed this to *.thisisnotarealdomain.zzz as part of troubleshooting.
I enter part of my real domain name between asterisks as in *blah* (redacted here). When I click preview I get no matching events.
The only pages I exclude are *php and *.css.
After saving, I populated the lookup table and edited the file with the custom name for each source as directed by the documentation. This file appears to be updating each day as expected.
I've actually had this all configured a few weeks, but it's only just now bubbled back up to the top of my to-do list to fix. Therefore, no backfilling of data should be necessary.
The values in the eventtypes.conf file all match what I've entered through the GUI and all the .conf files are as generated by the installation and configure of the app via the GUI (in other words, none of them have been modified manually).
On the real-time dashboard, I only see data for "Traffic Patterns". All of the other charts show "No Results found".
Most all of the views are showing "No Results found" with the following exceptions:
Under IT Operations, I do see data for traffic pattersn
Under Custom Dashboards/Access Center, the charts all display data with the exception of the Introduction, which shows an error "Splunk has failed to locate the template for uri '/APP/webintelligence/appserver/static//Access/access_center_intro.html' (this file does seem to be missing).
The setup seems pretty straight forward. I'm wondering if I'm just missing the obvious somewhere.
... View more