I have the Web Analytics running and I am going through and fixing the problems (since first of all it couldn't see any data) however, I've run in to a problem I cannot diagnose.
I am trying to get the dashboard working but some at not working. One of them uses this;
source="User session visitor source*"
However, nothing is returned. What is the process to find out what this source is, or why it wouldn't be displayed. I had a consultant in for the day and we fixed some but couldn't fix all problems with the apps I was trying to get working and trying to debug this we couldn't go through. We added a line to props.conf to ensure Splunk understood the iis log files with the headers and that worked fine. So, searching for sourcetype="iis" gives me all the fields like c_ip c_port cs_host etc but I cannot search for the source above. Where do I start?
Thank you
This search is against a summary index. If you go to Data Exploration -> search in the web intelligence app you can run the following search:
`timerange_hack_nofivemin` source="User session visitor source*"
That should return results. If it doesn't your summary index is not getting populated. Maybe the jobs are not running?
You can see the jobs by going to manager and viewing "searches and reports". For the example you gave, go look at "User session visitor source daily summary - regenerator". It should be scheduled to at least run once a day but you could change that or even for it to run now.
FYI, one good way to track down these type of things is to just go the app directory and look around. A splunk app is nothing more than files in the directory that define the inputs, searches, dashboards and field extractions. I found your search by just grepping the webintelligence/defaults directory and saw where the saved searches were defined. This is probably easier than looking through all the searches in the manager UI.
Source is normally the file or process from which the data is originally sourced.
example. /var/log/mail.log
If your app is looking for source defined as 'source="User session visitor source*"' then I would expect to see an inputs.conf on your forwarder.
ie. [monitor:///mylogs/User session visitor source 123.log]
Than you for the response, however all the logs for this app are coming from IIS and I have defined the monitor stanzer in the inputs.conf. Other sections of the app are working so I know it can understand the log files.
In trying another search I've seen this source also doesn't work;
source="Assets documents*"
I'm not especially asking anyone to solve that issue, more what are the steps so I can find the problem and then I can apply this to the other source's that are not working...