I'm currently evaluating Splunk for our environment, and have found the promising looking Web Intelligence app...
However i'm struggling to get it to show up any data...
I've copied several of our apache access logs onto the Splunk host, and indexed the data through the 'Files & Directories' data input method...
I can see the data in the standard search app, however when I try to use Web Intelligence it just shows "No results found"...
Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf
[access-extractions] # matches access-common or access-combined apache logging formats # Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars) # Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
Mmm, ok... Based a lot of this on the iis log format then...
Got these in my local/props.conf file:
FIELDALIAS-ClientAddress = client_address AS clientip
FIELDALIAS-HTTP Method = http_method AS method
FIELDALIAS-HTTP Status = http_status AS status
FIELDALIAS-Referrer = referrer AS referer
FIELDALIAS-URL = url AS uri
FIELDALIAS-uri_path = url AS uri_path
FIELDALIAS-useragent = user_agent AS useragent
However I'm still not seeing data... I've updated WebIntelligence source to be sourcetype=F5_SPLUNK_iRULE, which shows results when I hit preview...
As an update, I've got decent data running into splunk using the f5 for networks app and associated iRule...
How can I get the data formatted such that Web Intelligence supports it? Is it a case of creating some field alias'?
Have you gone through the setup workflow for the app (located at /app/webintelligence/setup)? Using this, you can enter in the correct sources/sourcetypes for your access logs as well as other filters you may want to set, and then use the Preview buttons to ensure that your setting are correct.
Can you search, any 5 minute time range in the day before to see if you see charts showing up on dashboards? It's not an issue of realtime vs not. Basically, any timerange that exceeds 5 minutes will search summary indexes instead of the raw data.
Do you see any data if you search for a timerange that's less than 5 minutes? For most of the views, any timerange that's over 5 minutes searches against summary indexes. A simple way to sanity check that your app is configured correctly is to try and search for a timerange when you know there is data and that spans less than 5 minutes.
many of the views in web intelligence rely on summarized data. The 'stats count' is a bit strange. Did you follow the directions to summarize your data? Do you see anything in the summary indexes?
I'm having the same issues. I'm quite curious to know what's going on, and eager for a solution (the app looks so interesting). I'm new to splunk but it seems like the search can't be right - like it's composed incorrectly. For instance why would the subsearch begin with 'stats count' ... shouldn't that be the target of a search?
The search being run is:
" search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri "