Other than this question/answer forum, Is there a way to get support for the Splunk App for Web Analytics? I have not been able to get it to show any data.
I have been looking at this app and trying to get some gauge of why my information stopped on a specific date on select reports. When I run the real time report I can see data streaming in as prescribed, however, when I go to the traffic center all of the traffic stops on April 3rd. I have gone through and applied all the test that you mentioned earlier in the post and everything is work as it should. Please let me know if you need any specific information in helping me troubleshoot this.
I found a bug in a config file.
Edit the file transforms.conf in this folder
Edit the stanza so it matches this
[WA_settings] filename = WA_settings.csv match_type = WILDCARD(source)
This will enable wildcard matching on the source field so you can have * in the source field in WA_settings.csv . I will shortly release an updated version of the app that has this enabled by default.
Excellent! Thank you very much! I now am able to see data in the real-Time but the rest still shows no data. I have disabled and re-enabled acceleration on the data model and have waited more than 20 minutes. Is there anything else I need to do in order to see data on the other tabs?
Make sure you re-run both lookups - they should both return results - and then disable and re-enable the data model acceleration for the data model Web.
Let me know how you get along.
Has the data model finished building the index? You can see this by expanding the data model using the little arrow next to it. It should give you a percentage on how long it it has come.
I do not see where this percentage that you speak of is located, However, It does show some data now. However it seems like it is only showing data from today even if I choose something like Year to date. Also under top operating systems it just shows "compatible" whereas I would have expected something like Windows 7.
Can you double check you selected acceleration for more than 1 day? Set it to 1 month or more to get statistics further back. You can do this disabling and then re-enabling the acceleration.
For the operating system, there might be something off with that field extraction. You should be able to modify that yourself. Perhaps the OS is not contained in the source data?
You can use this forum or by clicking my name under the "Built by..." on the right hand side column on the app page.
It's difficult to say what the problem might be without any details. In your other post you mention Splunk TA for Web logs. That TA does not do any data inputs and does not need to be configured at all. It just needs to be installed.
Do you get any results for this search query?
If you do, verify that the data model has been accelerated.
If not, do you get anything for this query?
index=* (sourcetype=access* OR sourcetype=iis)
If not, the sourcetype for the data you have in Splunk is not according to the documentation. You can use sourcetype renaming, reimporting the data under a new sourcetype, or by modifying the eventtype definition.
If you let me know more details I can try and help.
Some more information for you:
Under Setup -> Websites I have configured a website with Source=W3SVC1
Under Setup -> Lookups -> Generate User Sessions it returns data but Generate Pages does not return data.
That leads me to believe the sites are not correctly setup. Make sure that both the source and the host field match exactly whatever you have in your data. I designed the Website setup page so you can click on the right hand side for all available host+source combinations and then enter the site name without needing to type anything. The source for an IIS site should be a complete folder structure string and not just W3SVC1.
Once this is done, run the lookups again.
Once the lookups are done, rebuild the data model by disabling acceleration and then re-enabling it.
I meant to say that the source was W3SVC1 (surrounded with * at beginning and end. The post is just not displaying the star).
Either way, I Changed the source to C:\inetpub\logs\LogFiles\W3SVC1* (Slashes are being stripped out from this path)
This is not exactly what is listed in the Available host and source combinations as this lists a different source for each different day of IIS logs. Source Examples:
(Slashes are being stripped out from these paths)
Then I ran lookups again (Generate User Sessions still looks like it returns no results). Then I rebuilt the data moidel. Still no dice.
Again, Thanks for your continued assistance!