Splunk App for Web Intelligence: what should column names be for IIS log data?

Question

I'm having a problem getting web intel app showing any results. I've investigated a bit, and think the problem is the column names I used.

This is what I currently have set:

[iislogs] (from transforms.conf)

FIELDS = "date", "time", "s_siteName", "s_computername", "dest_ip", "http_method", "uri_stem", "uri_query", "dest_port", "user", "src_ip", "http_user_agent", "http_cookie", "http_referrer", "dest_host", "http_response", "http_sub_response", "sc_win32Status", "bytes_out", "bytes_in", "duration"

DELIMS = " "

What column names does web intel expect me to have?

Accepted Answer

1	Figured it out. For anyone else who wants a fix for this: 1) navigate to Manager » Fields » Field aliases 2) Click on each alias, and add a new alias link answered 21 Oct '11, 17:17 stjack99 85●1●1●8 accept rate: 40% 1 What aliases did you add? (20 Dec '11, 08:52) CraigF

Answer 2

Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"

Splunk App for Web Intelligence: what should column names be for IIS log data?

Follow this question

Splunk Resources

Related questions