Getting Data In

IIS Logs & WebIntelligence

33itsec
Engager

Hi,

I have problem on getting webintelligence app work.

I am running splunk-5.0 on CentOS and installed webintelligence app. I am running UF in windows-2008R2 to forward IIS logs to my splunk box. The inputs.conf at Windows is:

[monitor://C:\inetpub\logs\LogFiles\*\*.log] 
disabled = false 
index=webintelligence
sourcetype=iis

The webintelligence index has been created and the IIS logs are appearing in Splunk with sourcetype as "iis-2". From the webintelligence setup menu I have specified "index=webintelligence" under "Specify log sources" section (when doing preview I can see the IIS logs). But when I browse to webintelligence app I am not getting any results.

I have the following settings in /opt/splunk/etc/system/local/transforms.conf

[removecomments]
REGEX = ^\#.*
DEST_KEY = queue
FORMAT = nullQueue

[iis-2]
DELIMS = " "
FIELDS = date, time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, time-taken

I have the following settings in /opt/splunk/etc/system/local/props.conf

[iis-2]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = true
TZ = GMT
REPORT-iis-2 = iis-2
TRANSFORMS-removecomments = removecomments

Is there any other changes required?

Thank you.

  • Sathish.
Tags (1)

naydenk
Path Finder

The only difference with mine is that in my props.conf on the indexer, I have these two set (differently than yours):

CHECK_FOR_HEADER = False
TZ = UTC

I also have this entry in the props.conf on the client UF, but I think it is not needed/used:

[source::(?i)...\\inetpub\\logs\\u*.log]
0 Karma

naydenk
Path Finder

I am not familiar with that app, so I can't say for sure... The summary index may get fed by something you have to enable in the app configuration. If you see the data from your logs get into the index called webintelligence (do a simple search 'index=webintelligence' for the past 24 hours or whatever you think is good to see data), then your data is flowing into Splunk OK. The app may have special filters and queries that expect data certain way - you can either look at its configs and try to see what it expects, post them here or maybe contact Splunk Support, depending on your comfort level.

0 Karma

33itsec
Engager

Hi,

I made changes to props.conf to similar to your settings (above 2). But the webintelligence app not displaying any output. From the webintelligence search, if I search for the following queries I get results.

cs_User_Agent_="Mozilla/5.0+(X11;+Linux+x86_64;+rv:15.0)+Gecko/20100101+Firefox/15.0"
cs_version="HTTP/1.1"
eventtype=web-traffic
eventtype="pageview"

Another problem is that wi_summary_* indexes contain no events. I dont know where I am making mistakes!

Thank you.

Best,
Sathish.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...