All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk app for web analytics - User session data is not showing

splunkselva
New Member
‎01-06-2019 12:16 PM

Hi ,

splunk app for web analytics -sourcetype configuration : recently,all webserver IIS logs have been configured with "ms:iis:auto" sourcetype from "iis". After this configuration change this app was not working properly . As per documentation, i have included new sourcetype in the event type "web-traffic" and selected generated user sessions & generate pages then data model acceleration changes but no luck.
even I have added this sourcetype field extraction properties in the props.conf file location of this app but issue not fixed.

Can any one suggest/guide me configuration steps to generate session data with sourcetype "ms:iis:auto"

Regards,
Selva

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-07-2019 06:48 AM

Hi splunkselva

Edit the default props.conf and copy the stanza [iis] into a new local props.conf [ms:iis:auto]

You also need to edit the eventtype definitions in eventtype.conf.

Let me know how you get along.

j

0 Karma
Reply

splunkselva
New Member
‎01-13-2019 09:35 PM

Hi jbjerke,

Thanks for reply. I have added ms:iis:auto sourcetype configuration in props.conf file (in local folder) and eventtype definition configuration also updated in eventtype.conf file. But session data is not fetching in any of the dashboards. Also I have noticed this issue for other inbuilt (apache:access) sourcetype as well.

ms:iis:auto sourcetype configuration in props.conf
[ms:iis:auto]
EXTRACT-http_referer_domain = https?:\/\/(?[^/]+) in cs_Referer
EVAL-http_referer = if(isnull(cs_Referer),"-",cs_Referer)
FIELDALIAS-cs_username = cs_username as user
FIELDALIAS-cs_User_Agent = cs_User_Agent as http_user_agent,cs_User_Agent_ as http_user_agent
FIELDALIAS-cs_uri_stem = cs_uri_stem as uri_path
FIELDALIAS-cs_uri_query = cs_uri_query as uri_query
FIELDALIAS-TimeTakenMS = TimeTakenMS as duration, TimeTakenMS as response_time, time_taken as duration, time_taken as response_time
FIELDALIAS-sc_status = sc_status as status
FIELDALIAS-s_sitename = s_sitename as site
FIELDALIAS-s_ip = s_ip as dest_ip, s_ip as dest, s_ip as dvc
FIELDALIAS-s_port = s_port as http_port, s_port as dest_port, s_port as port
FIELDALIAS-s_computername = s_computername as host
FIELDALIAS-RequestsPerSecond = RequestsPerSecond as hits_per_second
FIELDALIAS-cs_Referer = cs_Referer as http_referrer, cs_Referer_ as http_referrer, cs_Referer as http_referer, cs_Referer_ as http_referer
FIELDALIAS-cs_method = cs_method as http_method
FIELDALIAS-cs_Cookie = cs_Cookie as cookie, cs_Cookie_ as cookie
FIELDALIAS-c_ip = c_ip as src_ip, c_ip as src
FIELDALIAS-sc_bytes = sc_bytes as bytes_out
FIELDALIAS-cs_bytes = cs_bytes as bytes_in

EXTRACT-file = .*/ in cs_uri_stem

EXTRACT-file = (?\w+(?:.\w+)+$) in cs_uri_stem

Global properties, applied to all sourcetypes for the app

EXTRACT-http_locale = (?i)^(?:[^;\n]*;){3}\s+(?P[a-z]{2}(|[-][a-z]{2}));
EVAL-file = if(match(file,"."),file,NULL)
EVAL-http_channel = if(http_referer="-","Direct", if(like(http_referer_domain,"%".site."%","Direct", if(isnull(http_channel), "Referal", http_channel)))
EVAL-http_referer_domain = replace(http_referer_domain, "http(s|):\/\/", "")
EVAL-http_referer_hostname = replace(replace(replace(http_referer_domain, "http(s|):\/\/", ""), "^(www|m|uk|r|l|tpc|lm).+", ""), "(.{1}[a-zA-Z]+)", "")
EVAL-user = md5(clientip."".http_user_agent)
LOOKUP-2_Channels = WA_channels Hostname AS http_referer_hostname OUTPUT Channel AS http_channel
LOOKUP-site = WA_settings source AS source host AS host OUTPUTNEW value AS site

eventtype definition configuration in eventtypes.conf file
[web-traffic]
search = sourcetype="aws:cloudfront:accesslogs" OR sourcetype="apache:access" OR sourcetype="iis" OR sourcetype="ms:iis:auto" OR sourcetype="access_combined" OR sourcetype="access_common" OR sourcetype="access_combined_wcookie"

Regards,
Selva

0 Karma
Reply

p_gurav
Champion
‎01-07-2019 12:20 AM

Hi splunkselva,

When you run eventtype=web-traffic, are you getting data with sourcetype=ms:iis:auto?

0 Karma
Reply

splunkselva
New Member
‎01-13-2019 08:37 PM

Hi guvrav,

Thanks for reply...Yes, i am getting data with "ms:iis:auto" sourcetype. But traffic analytic center dashboard only showing results not other dashboards

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...