All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for web analytics subsite

bkirk
Path Finder
‎08-09-2018 12:14 PM

So after fumbling around and getting the Splunk for Web Analytics app working, we were asked to make the sites base off the first part of the path of the URI.

For example we have www.example.com/abc and www.example.com/xyz.
These logs come from the same IIS server and the same log, but they want to treat these like 2 different sites.

I tried modifying the generate sessions and generate pages to include the first part of the uri as the site and then added both sites to the website page:

     Site                   Host            Source
1   www.example.com     example.com C:\LogFiles\WebLogs\*.log
2   www.example.com/abc example.com C:\LogFiles\WebLogs\*.log
3   www.example.com/xyz example.com C:\LogFiles\WebLogs\*.log

This is the logic I added to the Generate Sessions and pages to make the first part of the path part of site:

| rex field=http_request "(?<sub_site>\/[^\/]+)(?<mod_request>\/.*)$" 
| fillnull sub_site value=""| eval site=site+sub_site 
| eval http_request=if(isnull(mod_request), http_request, mod_request)

But then all 3 sites seem to have the same stats and nothing really appears when I try to select any of them in any of the dashboards.

Beside having these sites put into separate log files is there any other way I can have multiple sites split out from the same host/log sources?

Thank you,
Brian

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎08-14-2018 04:28 PM

Hi Brian

I have not tried this myself but I believe it would work if you manually change the configuration for the wa_settings.csv lookup so it adds the site to each event based on your new rules. There is an automatic lookup that does this.

First do a field extraction to extract that part of the path in the menu Settings->Fields - you have called it sub_site in your example above. Then modify the auto lookup to add the site field based on this new field rather than the host and source which is the default setting.

Let me know how you get along.

j

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...