All Apps and Add-ons

After updating the Splunk App for Web Analytics to version 1.42, why do I now get zero results for a real-time search?

hatbeard
Explorer

I updated the Web Analytics app, and now I get zero results. I get nothing in the real-time dashboard which, data model aside, I should be seeing. It did work before, not sure what happened...

Anyone run into this?

Edit:

I take this out of pageview, and it works.

eventtype=web-traffic status=200 NOT (eventtype=web-uri-nonpage OR eventtype=ua-bot OR eventtype=exclude-pageview OR eventtype=clientip-internal)

to

eventtype=web-traffic status=200 NOT (eventtype=ua-bot OR eventtype=exclude-pageview OR eventtype=clientip-internal)

Removing

eventtype=web-uri-nonpage

Which, i do get results on. its puzzling to me.

tlanghals_il
Engager

I'm seeing the exact same issue with IIS logs. Removing eventtype=web-uri-nonpage from the pageview definition returns logs, where as with it in returns no results.

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi hatbeard

Can you try and go through the troubleshooting section that's in the documentation of the app? Can you also doublecheck that the data inputs are still enabled?


Troubleshooting

The lookup searches are not returning any data

In the context of the app, try and do the search for:

tag=web
If this is not returning any results I suspect you are not seeing the data because it is stored in a non-default index and the user in Splunk does not search in non-default indexes automatically. Another issue might be that you are not using any of the pre-configured sourcetypes. See Setup point 1 above.

If this is returning results, double check that each entry has the "site" field populated. It's crucial that this field exists in your data. See Setup point 2 above.

All or some dashboards are returning "No results found"

As the app relies heavily on data model accelerations you will not see anything in any dashboards (except the "Real-Time" ones) until this acceleration has completed. Initially this could take a while. There is a "Data Model Audit" dashboard that will tell you if the acceleration is complete or not.

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi hatbeard
Can you check this thread? All objects in the app was moved to "app" visiblity instead of global and some other users reported issues.

http://answers.splunk.com/answers/316288/splunk-app-for-web-analytics-eventtype-not-found-o.html#com...

j

0 Karma

hatbeard
Explorer

All of them were app, i changed them to global, and i still get nothing.

0 Karma

hatbeard
Explorer

I looked at the search.log and saw this.

10-15-2015 13:28:25.132 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-http_channel' in stanza [default]: The expression is malformed. Expected ).

0 Karma

hatbeard
Explorer

The issue seems to be in

eventtype=web-traffic status=200 NOT (eventtype=web-uri-nonpage OR eventtype=ua-bot OR eventtype=exclude-pageview OR eventtype=clientip-internal)

It fails until i take out

eventtype=web-uri-nonpage OR

The web-uri-nonpage when i run eventtype=web-uri-nonpage in a search gives me nothing.

Even if it gives nothing it should not matter based on the ORs right?

[edit] it looks like my pages and sessions are blank now for whatever reason. When i try to run the lookups it wont find any results either.

[Edit2]
I backed up my current install and reinstalled the app. Even with nothing, i get nothing in realtime, or lookups. Do you have a previous version I can try to see if i can get this rolling again?

0 Karma

hatbeard
Explorer

Also, eventtype=pageview does not work.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...