All Apps and Add-ons

How to get support for the Splunk App for Web Analytics?

dglass0215
Path Finder

Other than this question/answer forum, Is there a way to get support for the Splunk App for Web Analytics? I have not been able to get it to show any data.

Thanks!

0 Karma

bbiandov
Path Finder

Very helpful discussion. What is the location of WA_settings.csv ? It isn't in /etc/apps/SplunkAppForWebAnalytics/ ?

0 Karma

ECovell
Path Finder

I have been looking at this app and trying to get some gauge of why my information stopped on a specific date on select reports. When I run the real time report I can see data streaming in as prescribed, however, when I go to the traffic center all of the traffic stops on April 3rd. I have gone through and applied all the test that you mentioned earlier in the post and everything is work as it should. Please let me know if you need any specific information in helping me troubleshoot this.

Thank you,
Ernie

0 Karma

bbiandov
Path Finder

Answered my own question: /opt/splunk/etc/apps/SplunkAppForWebAnalytics/lookups/

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi again

I found a bug in a config file.

Edit the file transforms.conf in this folder
/etc/apps/SplunkAppForWebAnalytics/default

Edit the stanza so it matches this

[WA_settings]
filename = WA_settings.csv
match_type = WILDCARD(source)

This will enable wildcard matching on the source field so you can have * in the source field in WA_settings.csv . I will shortly release an updated version of the app that has this enabled by default.

In WA_settings.csv:

C:\inetpub\logs\LogFiles\W3SVC1*

dglass0215
Path Finder

Excellent! Thank you very much! I now am able to see data in the real-Time but the rest still shows no data. I have disabled and re-enabled acceleration on the data model and have waited more than 20 minutes. Is there anything else I need to do in order to see data on the other tabs?

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Make sure you re-run both lookups - they should both return results - and then disable and re-enable the data model acceleration for the data model Web.

Let me know how you get along.

J

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Has the data model finished building the index? You can see this by expanding the data model using the little arrow next to it. It should give you a percentage on how long it it has come.

0 Karma

dglass0215
Path Finder

I do not see where this percentage that you speak of is located, However, It does show some data now. However it seems like it is only showing data from today even if I choose something like Year to date. Also under top operating systems it just shows "compatible" whereas I would have expected something like Windows 7.

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Can you double check you selected acceleration for more than 1 day? Set it to 1 month or more to get statistics further back. You can do this disabling and then re-enabling the acceleration.

For the operating system, there might be something off with that field extraction. You should be able to modify that yourself. Perhaps the OS is not contained in the source data?

J

0 Karma

dglass0215
Path Finder

That is what I did and then I started getting data on the real-time tab, but no data elsewhere.

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee
0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi dglass2015

You can use this forum or by clicking my name under the "Built by..." on the right hand side column on the app page.

It's difficult to say what the problem might be without any details. In your other post you mention Splunk TA for Web logs. That TA does not do any data inputs and does not need to be configured at all. It just needs to be installed.

Do you get any results for this search query?

tag=web

If you do, verify that the data model has been accelerated.

If not, do you get anything for this query?

index=* (sourcetype=access* OR sourcetype=iis)

If not, the sourcetype for the data you have in Splunk is not according to the documentation. You can use sourcetype renaming, reimporting the data under a new sourcetype, or by modifying the eventtype definition.

If you let me know more details I can try and help.

J

0 Karma

dglass0215
Path Finder

Some more information for you:

Under Setup -> Websites I have configured a website with Source=W3SVC1

Under Setup -> Lookups -> Generate User Sessions it returns data but Generate Pages does not return data.

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi

That leads me to believe the sites are not correctly setup. Make sure that both the source and the host field match exactly whatever you have in your data. I designed the Website setup page so you can click on the right hand side for all available host+source combinations and then enter the site name without needing to type anything. The source for an IIS site should be a complete folder structure string and not just W3SVC1.

Once this is done, run the lookups again.

Once the lookups are done, rebuild the data model by disabling acceleration and then re-enabling it.

J

0 Karma

dglass0215
Path Finder

Any other assistance you can provide?

0 Karma

dglass0215
Path Finder

I meant to say that the source was W3SVC1 (surrounded with * at beginning and end. The post is just not displaying the star).

Either way, I Changed the source to C:\inetpub\logs\LogFiles\W3SVC1* (Slashes are being stripped out from this path)

This is not exactly what is listed in the Available host and source combinations as this lists a different source for each different day of IIS logs. Source Examples:

C:\inetpub\logs\LogFiles\W3SVC1\u_ex140630.log
C:\inetpub\logs\LogFiles\W3SVC1\u_ex140701.log
(Slashes are being stripped out from these paths)

etc.

Then I ran lookups again (Generate User Sessions still looks like it returns no results). Then I rebuilt the data moidel. Still no dice.

Again, Thanks for your continued assistance!

0 Karma

dglass0215
Path Finder

Hi J!

Thanks for your reply. I do get results when searching tag=web and the Data Model named Web is accelerated. What other details can I provide to you?

Thanks!

0 Karma

aweitzman
Motivator

I think this forum is it. The app page specifically says "Community Supported."

0 Karma

dglass0215
Path Finder

Well that is a shame because it doesn't sound like there are too many users who have been able to get it to work.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...