|
So as far as i can understand, you can define a common sourcename for several sourcetypes I am using the webintelligence beta app, and this generates a sourcenames.csv file in /splunk/etc/apps/webintelligence/lookups this looks like this: But when i search for "sourcename" i does not find anything What am i missing? i'm feeling ive read the manual on webintelligence and i cannot find any more info on this Thanks! |
|
If you want to search for a particular sourcename, use Sourcename is not in the original event data so you must enrich the data through the lookup table. Keep in mind you'll need to be within the web intelligence app as neither the lookup nor eventtype have global visibility. But all the searches form within webinteligence doesnt return any results with the searches like search host= [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily") ] source="User session visitor source" sourcename="vorcast.org" | timechart eval(sum(myeventcount)) AS pageviews, dc(clientip) AS unique_visitors, eval((sum(myeventcount))/dc(clientip)) AS avg_pageviews
(16 Apr '12, 15:09)
evosplunk
Where are you searching? I'm using this URI: http://<splunk-server:port>/en-US/app/webintelligence/flashtimeline You can't just use the sourcename in the query without first specifying the lookup table as I mentioned above using the "lookup" command. The field does not exist before this.
(16 Apr '12, 15:13)
pstout
Im just trying to get the en-US/app/webintelligence/business_pageviews etc (pre defined searches) to show somehting, they are not. alhtough the search you provided works well.
(16 Apr '12, 15:38)
evosplunk
Have you gone through the setup process? /en-US/app/webintelligence/setup Particularly #3 -- "Specify Log Sources." It's been some time since I configured the app for web intelligence but this would certainly impact the population of the bundled dashboards. If so, do other dashboards populate? Do you get any error messages? Have you made any changes to the saved searches or eventtypes defined in the stock WI app?
(16 Apr '12, 15:44)
pstout
Maybe i just misunderstand the setup None of teh dashboards show anything, ive gone through the setup process, and i have specified one apache access log and one error log for testing. Ive not made changes to the stock searches, am i supposed to?
(16 Apr '12, 15:47)
evosplunk
In that box, you should put something like: index="main" sourcetype="access_combined" Of course, replace the index and sourcetype with actual values from your instance.
(16 Apr '12, 15:51)
pstout
I just put in sourcetype="vorcast*" ive defined the sourcetype in index before, theres a preview button there, and that shows me that it finds something based on my search. Thank you very much for helping me understand this btw, much appreciated!
(16 Apr '12, 16:00)
evosplunk
For instance, this search ReportOps - Top URI By Good Status sounds like this:
What is the source in this? where is that source defined? Am i supposed to change it?
(16 Apr '12, 16:13)
evosplunk
That source might be the product of a summary index saved search. You shouldn't have to change the sources that are predefined. Not sure what sourcetype="vorcast" is. The web intelligence app should be looking for Apache access_combined or Microsoft IIS logs. These should be sourcetype="access_combined" or sourcetype="iis" If you open your search app, can you get results for any of the following searches? sourcetype="access_combined" sourcetype="access_common" sourcetype="iis"
(16 Apr '12, 18:43)
pstout
Sorry, vorcast is a site, the sourcetype=vorcast is a apache access and error log, they are defined in splunk as vorcast_access and vorcast_error so sourcetype=vorcast shows all of that in a search, i see that it works. searches for access_combined etc also show results. The site in questions logs to its own log files.
(17 Apr '12, 03:35)
evosplunk
showing 5 of 10
show 5 more comments ▼
|
