All Apps and Add-ons

Lookups not working; Fields with confusing Data

momoXD
Explorer

Hey everyone,
I've got a problem concerning the "Generate Pages" and "Generate Sessions" Lookups. They both don't create any results.
When searching for '* tag=web eventtype="pageview" ' in the context of the app, there are several thousand log entries per Minute available. So no Data is obviously not the reason of the problem. However, if one has a closer look, one can see that several fields contain wrong fields (see the incomplete list below):

  1. user_agent field contains cookie data
  2. cookie field sometimes contains ip-adresses

This leads to the impression that the "Splunk Web App for Analytics" can't deal with the log type we are using. To confirm that impression we imported a small extract of the logs to a standalone instance and all of a sudden it works.
So my impression is that some configuration on the "big productive" Splunk instance is interfering with the app. Is that possible?
I am guessing that the App's extractions and our custom build instruction somehow disrupt each other. Might that be or is there a different setting that is likely to cause the problem?

As a reference I added one log entry below.

192.168.0.1 - - [04/Jul/2017:08:18:04 +0200] "GET /fakeTest/javax.faces.resource/richfaces.js.xhtml?_=1499178984898 HTTP/1.1" 200 24580 "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "JSESSIONID=LIATgPTq8jvzhbUZQqxhusWL.Xrs51_1; prodXrs=rd1o00000000000000000000ffff8b195a56o5100; [.. a lot more of Cookie Data];" "192.168.0.1" "-" "my.domain.com" "-" "https://my.domain.com/my/referrerpage/index.xhtml
0 Karma

woodcock
Esteemed Legend

Run these 2 commands on each system:

$SPLUNK_HOME/bin/splunk test sourcetype <path to your file here>
$SPLUNK_HOME/bin/splunk cmd btool props list <sourcetype> -- debug

You will find your culprit.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...