All Apps and Add-ons

No data/errors on Audience, Acquisition and Behaviour

sov_gwright
New Member

Now that the data is populating properly and the Real-Time tab is doing what it should be, I've moved on to troubleshooting some of the other sections. Starting with Audience, I get no results in the main Sessions box and the Pageviews, Pages/Session and Bouncerate all show errors like

Error in 'map': Did not find value for
required attribute 'site'.

It looks like the Data Model is perhaps not working, but I have no idea how to troubleshoot it. Is it possibly to do with the fact my data isn't in the main index?

0 Karma

anmolpatel
Builder

Yes, that is the case, as the data is not mapped

-> Go to Settings -> Data Model ->
and check for the Web Data Model (DM)

Now you will need to look into constraints section which defines how the DM is being populated

At this stage you may have a list of indexes and source types that populate the Web DM (keep this for later [1], if not its fine)

In order to map the use this docs page as its a really good walkthrough
https://docs.splunk.com/Documentation/CIM/4.15.0/User/UsetheCIMtonormalizedataatsearchtime

The indexes / sourcetypes / tags from [1] will assist identifying which apps provide the data that populate the DM. If there were none, you will need to identify which of the sourcetypes from the data you're currently ingesting are relevant to the DM and follow the process.

The modified / created eventtypes.conf, tags.conf and props.conf will become part of /local for each of the app for which you're mapping to the Web DM

Once you push out the new conf files, you will need to restart Splunk (applies to eventtypes and tags)

Though before you do that, you would want to validate that the props which map to the "site" field or any other key is working as expected.
So execute

| extract reload=true

and then in a new tab, run the spl

index="indexName" sourcetype="updateMappedSourcetype" earliest=-1h latest=now
| stats values(site) as site by _time

restart Splunk SH and you should see the site mapped

| tstats values(Web.site) as site from datamodel=Web by sourcetype index

You can repeat the rest for other sourcetypes

0 Karma

sov_gwright
New Member

I had changed the constraint on the datamodel and in the eventtype "web-traffic" which almost all other eventtypes seem to be built off.

I see the sites fine when I run

| tstats values(Web.site) as site from datamodel=Web by sourcetype index

however viewing the dashboards give the same errors as before. You completely lost me with the mapping/CIM stuff though, but that's due to my own lack of experience with Splunk.

0 Karma

anmolpatel
Builder

Hey @sov_gwright I think i got to the bottom of the error. Firstly open up the Audience dashboard and clone it. This is to ensure we are not breaking anything to confirm the issue and changes

Let me explain with an example about what I have drilled down for the "Error in 'map': Did not find value for required attribute " message.

| makeresults 
| eval Site="%"
| eval Status =""
| map search="|makeresults 
  | eval _raw = \"Site, Status
Site1, ON
Site2, ON
, OFF
Site4, ON
\" 
  | multikv forceheader=1
  | where like(Site, \"%\".$Site$.\"%\")
  | table Site Status" 
| table Site Status

The above should return Site1, Site2 and Site4. Splunk's Search Parser replaces $Site$ to "SITE_VALUE"

If we do the same with $$

| makeresults 
| eval Site="%"
| eval Status =""
| map search="|makeresults 
  | eval _raw = \"Site, Status
Site1, ON
Site2, ON
, OFF
Site4, ON
\" 
  | multikv forceheader=1
  | where like(Site, \"%\".$$Site$$.\"%\")
  | table Site Status" 
| table Site Status

The Search Parser does something different: SearchParser - PARSING: | where like(Site,(("%" . '"%"') . "%")).

So in the cloned dashboard, edit click edit search on the Pageviews panel.
Issue: The site and other values contains $$ and is also enclosed in quotes \".
Fix: replace \"$$ and $$\" OR "$$ and $$" with $ respectively.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...