Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.
Data check: Run the following search to verify you are searching for normalized web data that is ready for this use case:
earliest=-1day index=* tag=web
| head 10
Identify the most popular web browsers customers use to access your web applications.
Run the following search.
| stats count BY httpuseragent
| replace *Firefox* with Firefox, *Chrome* with Chrome, *MSIE* with "Internet Explorer", *Version*Safari* with Safari, *Opera* with Opera, *rv:11.0* with "Internet Explorer" in httpuseragent
If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.
For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.