All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

No data displayed for webintelligence app

traborn
Explorer
‎01-17-2012 06:14 PM

I've tried setting up the WebIntelligence app on my splunk deployment but I'm falling short somewhere since most all of the views report "no results found"

Here's the background on the setup page:

  • Step 2: N/A web logs are already indexed

  • Step 3: sourcetype="iis"

If I hit the preview button below Step 3, I get most recent 20 logs from the | head 20 comment. I can remove the "| head 20" and get the data for the last day (or last few months if like, just for argument's sake).

  • Step 4:

Initially I created a list of IP's to exclude, but I later modified this to be 1.1.1.1 to essentially have no exclusions (I can't leave the field blank). My assumption was that I would tweak this later.

What I find interesting when you click the preview button is that the search is:

sourcetype="iis" clientip=1.1.1.1 | head 20

It's an IP to exclude, but in the preview, it's the only IP address included. This may be by design so that you see the data you will be excluding? In my case, no data, so I modify the search with a NOT operator in front of the clientip and of course see events.

For the referring domain, I again had a valid value initially, but later changed this to *.thisisnotarealdomain.zzz as part of troubleshooting.

I enter part of my real domain name between asterisks as in *blah* (redacted here). When I click preview I get no matching events.

The only pages I exclude are *php and *.css.

After saving, I populated the lookup table and edited the file with the custom name for each source as directed by the documentation. This file appears to be updating each day as expected.

I've actually had this all configured a few weeks, but it's only just now bubbled back up to the top of my to-do list to fix. Therefore, no backfilling of data should be necessary.

The values in the eventtypes.conf file all match what I've entered through the GUI and all the .conf files are as generated by the installation and configure of the app via the GUI (in other words, none of them have been modified manually).

On the real-time dashboard, I only see data for "Traffic Patterns". All of the other charts show "No Results found".

Most all of the views are showing "No Results found" with the following exceptions:

  • Under IT Operations, I do see data for traffic pattersn
  • Under Custom Dashboards/Access Center, the charts all display data with the exception of the Introduction, which shows an error "Splunk has failed to locate the template for uri '/APP/webintelligence/appserver/static//Access/access_center_intro.html' (this file does seem to be missing).

The setup seems pretty straight forward. I'm wondering if I'm just missing the obvious somewhere.

Reply
1 Solution
Solved! Jump to solution
Solution

traborn
Explorer
‎02-08-2012 06:33 AM

The issue here has been resolved. The problem was that prior to my installation of the app, I had created some field aliases for my IIS logs. Specifically for the sc_status field. Looking at the savedsearches.conf file, that field is used in many of the saved searches for the app.

Then, the props.conf file for the app defines its own aliases for the fields, but the match for the sourcetype is:

[(?:::){0}iis-*]

My sourcetype for iss data is "iis"

So would is possibly make more sense for the props.conf file for the app to be:

[(?:::){0}iis*]

View solution in original post

Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎09-25-2012 10:53 PM

See the answer to your question that you just asked.

0 Karma
Reply
Solved! Jump to solution

paul_1994
Path Finder
‎09-25-2012 03:38 PM

I am also having issues.. I verified that there is data in my wi summary indexes. The problem I am seeing is that when I search from my search head I can't get any info from the summary indexes, but if i got to the indexer and do the same search information returns..

Is there something special you have to do in a distributed environment

0 Karma
Reply
Solved! Jump to solution

jchapman_atomic
Explorer
‎06-28-2012 08:32 PM

did you ever get this figured out? I'm having extensive difficulties getting this setup and our symptoms seem to be all the same.
Thanks
-Joe

0 Karma
Reply
Solved! Jump to solution
Solution

traborn
Explorer
‎02-08-2012 06:33 AM

The issue here has been resolved. The problem was that prior to my installation of the app, I had created some field aliases for my IIS logs. Specifically for the sc_status field. Looking at the savedsearches.conf file, that field is used in many of the saved searches for the app.

Then, the props.conf file for the app defines its own aliases for the fields, but the match for the sourcetype is:

[(?:::){0}iis-*]

My sourcetype for iss data is "iis"

So would is possibly make more sense for the props.conf file for the app to be:

[(?:::){0}iis*]

Reply
Solved! Jump to solution

sdwilkerson
Contributor
‎02-09-2012 02:09 PM

Tim,
The default is designed to work with the way most people do iis, which is to rely in the "check header" line with fields at the top. In this case, the sourcetype will be autoset to iis-1,iis-2.... Yours are all the same, so we set it to be iis since we control the outputs.

Best,
Sean

Reply
Solved! Jump to solution

traborn
Explorer
‎01-19-2012 11:51 AM

I'm suspicious that the source="User session visitor source*" part of the search is at least part of the problem at hand.

I tried this in the search function within the webintelligence app:

search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily") ]

This is the first part of what is showing highlighted in yellow in the debug information. I ran this for the same time period (1/18/2012 00:00:00 to 1/18/2012 12:15:31) and got 377 events returned.

The next part of the query (and the remaining of what was highlighted in yellow is source="User session visitor source*". Once I add that to the search criteria, I get zero results.

Archana asks: Can you perhaps search a 5 minute time window within that range to see if there are events in that time period?

So I repeated the the original search (Pageviews) and modified the time range to be 1/18/12 12:01:00.000 PM – 1/18/12 12:04:00.000 PM

Again, no results.

The "more info" window reports the following:


This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

search eventtype=pageview eventtype=ua-browser* | lookup sourcenames source | eval sourcename=if(sourcename==" " OR isnull(sourcename),source,sourcename) | search sourcename="*" | timechart count AS pageviews, dc(clientip) AS unique_visitors, eval(count/dc(clientip)) AS avg_pageviews

over the time range:

1/18/12 12:01:00.000 PM – 1/18/12 12:04:00.000 PM

did not return any data. Possible solutions are to:

  • relax the primary search criteria
  • widen the time range of the search
  • check that the default search indexes for your account include the desired indexes

The following messages were returned by the search subsystem:

DEBUG: base lispy: [ AND 200 index::windows sourcetype::iis [ OR applewebkit blackberry* bonecho camino epiphany gecko granparadiso iceape iceweasel konqueror minefield msie netscape opera safari seamonkey shiretoko wordpress [ AND 1 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 1 firefox macintosh ] [ AND 1 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 1 firefox macintosh ] [ AND 1 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 1 firefox windows ] [ AND 1 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 1 firefox windows ] [ AND 1 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 1 firefox x11 ] [ AND 1 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 1 firefox x11 ] [ AND 2 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 2 firefox macintosh ] [ AND 2 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 2 firefox macintosh ] [ AND 2 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 2 firefox windows ] [ AND 2 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 2 firefox windows ] [ AND 2 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 2 firefox x11 ] [ AND 2 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 2 firefox x11 ] [ AND 3 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 3 firefox macintosh ] [ AND 3 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 3 firefox macintosh ] [ AND 3 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 3 firefox windows ] [ AND 3 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 3 firefox windows ] [ AND 3 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 3 firefox x11 ] [ AND 3 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 3 firefox x11 ] [ AND 4 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 4 firefox macintosh ] [ AND 4 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 4 firefox macintosh ] [ AND 4 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 4 firefox windows ] [ AND 4 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 4 firefox windows ] [ AND 4 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 4 firefox x11 ] [ AND 4 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 4 firefox x11 ] [ AND 5 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 5 firefox macintosh ] [ AND 5 firefox macintosh sourcetype::(?:::){0}iis-* ] [ AND 5 firefox macintosh ] [ AND 5 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 5 firefox windows ] [ AND 5 firefox sourcetype::(?:::){0}iis-* windows ] [ AND 5 firefox windows ] [ AND 5 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 5 firefox x11 ] [ AND 5 firefox sourcetype::(?:::){0}iis-* x11 ] [ AND 5 firefox x11 ] [ AND 5 explorer internet sourcetype::(?:::){0}iis-* ] [ AND 5 explorer internet ] [ AND 5 explorer internet sourcetype::(?:::){0}iis-* ] [ AND 5 explorer internet ] [ AND 4 5 6 61 en mozilla sourcetype::(?:::){0}iis-* sun4u sunos u x11 ] [ AND 4 5 6 61 en mozilla sun4u sunos u x11 ] [ AND 4 5 6 61 en mozilla sourcetype::(?:::){0}iis-* sun4u sunos u x11 ] [ AND 4 5 6 61 en mozilla sun4u sunos u x11 ] [ AND explorer internet sourcetype::(?:::){0}iis-* ] [ AND explorer internet ] [ AND explorer internet sourcetype::(?:::){0}iis-* ] [ AND explorer internet ] ] ]

DEBUG: search context: user="**redacted**", app="webintelligence", bs-pathname="/opt/splunk/etc"

0 Karma
Reply
Solved! Jump to solution

Archana
Splunk Employee
Splunk Employee
‎01-18-2012 02:17 PM

Did it have any hits for source="User session visitor source*"?

The issue is that anytime you use a timerange that spans more than 5 minutes, we're searching a summary index rather than the raw data. The timerange you choose dictates which summary index is searched (e.g. wi_summary_hourly for 00:00:00 to 12:15:31 vs wi_summary_daily when you choose "Month to Date"). Can you perhaps search a 5 minute time window within that range to see if there are events in that time period?

0 Karma
Reply
Solved! Jump to solution

traborn
Explorer
‎01-18-2012 01:38 PM

running

index=wi_summary_hourly | stats count by source

for

00:00:00 to 12:15:31

gives me a total count of 377 (averages around 30 or so per hour)

running the same search as before (Pageviews), it defaults to "Today", so I changed the drop-down to "Month to Date" - still getting "no results found"

Clicking "more info" gives me almost the same info as before, except of course, the date info starts on 1/1/2012, and in the Debug information, the index references are to "wi_summary_daily" instead of the hourly index.

0 Karma
Reply
Solved! Jump to solution

Archana
Splunk Employee
Splunk Employee
‎01-18-2012 11:54 AM

have you tried the same search using a different time range?
for the same time range, what do you see if you search: index=wi_summary_hourly | stats count by source

Just checking to see if the summary index is filling up correctly.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎01-17-2012 09:35 PM

Some great feedback in there! Let me try to address one at a time.

  • Regarding the exclude preview search - good point, we should either clarify the intent of the preview or add a NOT
  • Regarding the ability to supply empty options - that point has been raised before here and the next version of the app will allow you to leave one or more of these options blank.
  • Regarding the missing template, I will file a bug to make sure that gets fixed in the next version of the app

If you hover your mouse over one of the "No results found" messages, an "Inspect..." link should appear. If you click this, a search inspector window should pop up with all sorts of details about the search. Do you see anything there, specifically in that long debug statement? Maybe your web data is in an index that is not that is searched by default?

How about your summary indexes? If you go to Manager > Indexes (you might have to look on the indexers if you have a distributed environment), do you see events in the wi_summary* indexes? If you search those indexes, do you see data?

0 Karma
Reply
Solved! Jump to solution

traborn
Explorer
‎01-18-2012 11:09 AM

Thanks for the response araitz.

The web data is in an index that is searched by default, but thanks for pointing it out just the same - it seems obvious, but it wasn't something I had checked. Just for fun, where I had configured sourcetype="iis" for the app, I added index=windows to further refine the configuration. I'm not sure that really helps, but I didn't think it would hurt either.

I checked all the wi_summary* indexes under Manage/Indexes - all of them have data. I also searched them just to verify. Those seem OK.

As for the debug information... If I select Business & Marketing/Pageviews, I get no results for "Number of Visitors" and if I click on the more into link, I get the following:


This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:


style="BACKGROUND-COLOR: yellow">search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily") ] source="User session visitor source*" sourcename="*" | timechart span=1h eval(sum(myeventcount)) AS pageviews, dc(clientip) AS unique_visitors, eval((sum(myeventcount))/dc(clientip)) AS avg_pageviews

over the time range:

1/18/12 12:00:00.000 AM – 1/18/12 12:15:31.000 PM

did not return any data. Possible solutions are to:

  • relax the primary search criteria
  • widen the time range of the search
  • check that the default search indexes for your account include the desired indexes

The following messages were returned by the search subsystem:

DEBUG: Subsearch evaluated to the following search expression: index=wi_summary_hourly

DEBUG: base lispy: [ AND index::wi_summary_hourly source::user\ session\ visitor\ source* [ OR host::* sourcetype::(?:::){0}iis-* sourcetype::iis ] ]

DEBUG: search context: user="johndoe", app="webintelligence", bs-pathname="/opt/splunk/etc"


(user name redacted)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...