We are in the process of setting up the Splunk App for Web Analytics, and one of the gaps we have identified is that the web.bytes field is not populated after the Web Analytics app does its magic. We are seeing site visits come up, but this particular field never seem to show any data. Is there a particular field we need to make sure that IIS includes in the logs for this to be populated?
Our web servers are all running Windows Server 2012 R2, if that helps any.
Yes, make sure the following fields are enabled in your IIS logging:
cs_Referer
cs_version
cs_bytes
cs_Cookie
We pretty much enabled all the IIS logging and the app looks pretty good. Make sure to read up on the threads in here, we had to make a change to the Data Model in order for the app to work in a search head cluster. Also, read the latest update on http_user_agent.
https://answers.splunk.com/answers/442049/splunk-app-for-web-analytics-http-user-agent-missi.html#co...