Hi, I'm trying to get the Splunk App for Web Analytics to work and am having trouble with the Web data model acceleration.
Currently when viewing the Analytics Center and Audience tabs I get 'No results found'. After some investigating this is because the
Web.eventtype=pageview part of the SPL query that runs is not returning any results (when I examine the search and remove this part results are returned). When I look at the events in the datamodel via Pivot there are no events where this is true, in fact the Web.eventtype field is empty for all events in the data model. Note: this is when the data model is accelerated.
When I turn off acceleration I can see that the field 'eventtype' in the data model is created by an auto-extracted field. I can then go to the edit page of the eventtype field and preview the output of the extraction, then the eventtype field is populated as expected. I can check this through a Pivot again and the values for the eventtype field values are still present.
I can't work out why the field values disappear when enabling data model acceleration. I'm only working on a small data set currently for testing (<10Mb) and have given 2+ hours for the data model acceleration to be built. I have also generated the lookup tables required by the App a number of time, so that is not the issue.
I am using v2.2.2 of the App and Splunk v8.0.2. I believe I have the App set up correctly as the Real Time tab is showing data. I also breifly was able to view data on the Analytics Center and Audience tab yesterday but can't work out what changes caused this to occur!
Edit: When I runthe Data Model Audit I get the following errors on the Top Accelerations visualizations:
[map]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SplunkAppForWebAnalytics/admin/summarization/tstats:DM_SplunkAppForWebAnalytics_myWeb?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.
The problem arises when cloning the Web data model if the Splunk_SA_CIM app is already installed on the system. The Splunk_SA_CIM app contains also a data model with the name Web. When cloning the Web data model of the Web Analytics app, the tags_whitlist from the Web data model of the Splunk_SA_CIM app gets also cloned (tags_whitelist = pci, proxy, web_watchlist).
I deleted the tags_whitlist in the new WebAnalytics data model and rebuilt the data model. After that the app worked as it should.
I ended up running a new deployment of Splunk with no other Add-Ons/Apps and managed to get it working first time.
I was working in a Dev environment so this was an acceptable solution for me. On my initial set up I did have a lot of other Add-Ons/Apps installed so I'm wondering if there was a CIM conflict or something similar