All Apps and Add-ons

Splunk App for Web Analytics 1.31: Why is no data returned by lookups?

eckdale
Path Finder

Having a bit of an issue getting the Splunk App for Web Analytics setup completed. Here's some details:

  • Installed Splunk App for Web Analytics v1.31 on Search Head (v6.2)
  • The 'Available host and source combinations' panel appears to be working properly. I.E. I see the host(s) and sources I care about listed.
  • The 'Setup new website' panel appears to be working properly. I.E. After adding a site it is listed in the 'Configured websites' panel and is added to the WA_settings.csv file. Here's an example of the wildcards I'm using:

    key,value,source,host
    site,"mysite.mydomain.com","H:\inetpub\logs\LogFiles\my-site\W3SVC**","mynode-01"

  • I have verified the Role being used to set up the app (Admin) has the proper index listed for both 'indexes searched by default' and 'indexes'. In fact I've simply added 'All non-internal indexes' to both.

  • The following manual searches all return results:
    tag="web"
    sourcetype="iis"
    source="H:\inetpub\logs\LogFiles\my-site\W3SVC*\"
    | tstats prestats=t count where index=
    by host,source | stats count AS events by host, source | search host=""* OR source=""*
    It seems like everything is in place, but when I go to build the lookups nothing is returned. Any help to narrow down my configuration oversight would be much appreciated.

0 Karma
1 Solution

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi eckdale

I suspect the site is configured wrong and the site field is not being applied to the source and host combination. For instance, in the example above I see double slashes \\ in the source data but not in the site configuration lookup.

There is a new version of the app (1.4) which greatly enhances the setup process with visual cues (green check marks) if it is configured correctly.

https://splunkbase.splunk.com/app/2699/

j

View solution in original post

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi eckdale

Are both lookups failing or just the Sessions one?

The Pages lookup is very simple:

eventtype=pageview | table site http_request

The Sessions is much more complicated and uses the transaction command and is reliant on the "site" field being present.

In the context of the app, try and do the search for:

tag=web

If this is returning results (which you are saying it does), double check that each entry has the "site" field populated. If not, the Session lookup will not work.

Can you try this and report back what you get?

j

0 Karma

eckdale
Path Finder

BTW: Just wanted to say thanks for the time you've dedicated to this.

0 Karma

eckdale
Path Finder

Unfortunately both lookups are failing. In the context of the app i searched for:

tag=web

which returned several million matched events.

To be clear, I have configured 175 unique sites in the WA_settings.csv file (all IIS) but there are hosts with sourcetype=iis data that I have intentionally not included. Is that a problem? I.E. If I have two hosts, one test and one production, forwarding sourcetype=iis data and only include one of them (production) in the WA_settings.csv file, will the lookups fail?

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi eckdale

I suspect the site is configured wrong and the site field is not being applied to the source and host combination. For instance, in the example above I see double slashes \\ in the source data but not in the site configuration lookup.

There is a new version of the app (1.4) which greatly enhances the setup process with visual cues (green check marks) if it is configured correctly.

https://splunkbase.splunk.com/app/2699/

j

0 Karma

eckdale
Path Finder

The double-backslashes, or escaped backslashes, in the manual search are there because Splunk seems to require them when searching for a string that uses backslashes (I assume this is part of Splunk's Linux heritage). The lack of escaped backslashes in the WA_settings.csv file is a direct result of how the app builds the file itself when using the Setup > Websites form.

I assumed the app handled the use of backslashes in some manner however I too had noticed this early on in my troubleshooting and manually modified the WA_settings.csv file to include the escaped backslashes with no success.

I've upgraded the app to v1.4 and now see green check marks under the 'Configured' heading on the Setup > Websites form however building lookups still fails with no results.

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi eckdale

I recently launched a new version - 1.41 - This has improved support for IIS. There were some bugs with the previous version so I recommend you upgrade.

https://splunkbase.splunk.com/app/2699/

j

eckdale
Path Finder

Installed the update and the lookups are building as I type this. Thanks so much for the continued effort.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...