Splunk App for Web Analytics: I have no 'site' att...

lauMarot · ‎08-10-2015

Hello,

Having problems setting up Splunk App for Web Analytics.

Trying to test it on a small web site running Apache server on 1 host and standard login format. I have no 'site' attribute ... so every search with a site="*" has no result.

sourcetype is access_combined.

Any advice ?

jbjerke_splunk · ‎05-29-2019

Hi

New version of the app is now live which hopefully solve this issue.
https://splunkbase.splunk.com/app/2699

v 2.2.0
- Added an option to use a different data model name than "Web". This caused conflicts with the default CIM datamodel also called Web.
- Made changes to Sites setup dashboard to make it easier.
- Migrated website setup settings to the KV store.
- Added better support for IIS. Now supports ms:iis:auto and ms:iis:default sourcetypes which comes from the official IIS Add-on.
- Updated User agent string parsing to latest version
- Various bug fixes

fangrisani · ‎10-12-2018

Hi guys,
I'm new to splunk and WebAnalytics and I have a similar problem. tag=web from the app context search return data but I can't see the field host.
I suppose that's the reason for the field site not being created.
Any idea why i can see the field host in the search app for sourcetype=iis but not on the context app for tag=web?

Best Regards

jbjerke_splunk · ‎01-03-2019

Hi

IIS data can overwrite the host field based on content of the data. Make a search for tag=web for and find out what host field you see and then use this host field instead of the one you see in the setup page.

good luck

j

lauMarot · ‎08-13-2015

uninstall and then install once again
configure exactly as detailed in doc (website config, then run lookups and finally add data model acceleration). I had previously a warning message in website config that I hadn't noticed

=> works fine now

jbjerke_splunk · ‎08-10-2015

In the context of the app, try and do the search for:

 tag=web

If this is not returning any results I suspect you are not seeing the data because it is stored in a non-default index and the user in Splunk does not search in non-default indexes automatically.

You need to add All non-internal indexes to the Selected indexes in Access controls » Roles » [ROLE NAME]
Alternatively you can add just the index where the apache log files are stored.

There is a thread about this here:
http://answers.splunk.com/answers/270500/how-do-i-get-data-into-splunk-app-for-web-analytic.html

If you are seeing data for the search tag=web but the "site" field is not populated, something must be wrong in the site setup stage. Make sure that the exact host and source combination for your data exists in the setup. You can use wildcards by using * for either host or source.

geh · ‎04-10-2021

Hello,

i ran into the same problem and the search for
"tag=web" or "eventtype=web-traffic" shows me a lot of results.

But if i append "site=*" there no more results.

Can you please tell me, what kind of splunk-object is "site"?
Is it a Macro, a search-time variable, an lookup-outcome.
What is the splunk-technique behind the search-value "site"?

thank you & best regards
Gerhard

lauMarot · ‎08-11-2015

by default, logs are indexed in default index ('main' index in this case)

jbjerke_splunk · ‎08-11-2015

Can you detail the host and source fields for your data when you search for tag=web ? Can you also then show what you have filled out in the site setup page? I will try and help you configure this if I get the details.

j

lauMarot · ‎08-11-2015

i've deleted the application and installed it once again. Now i've got data for real-time tab but nothing in tabs relying in tstats / summaries even if I've set up acceleration on web model.

|tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session,Web.ua_family _time span=1d | timechart span=1d dc(Web.http_session) by Web.ua_family | rename Web.ua_family AS "Browser "
=> 0 event matching !

and if I cut the query to make it larger :

|tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=Web
=> 2 events

rroberts · ‎08-10-2015

Did you go through the setup? "Websites are configured from a combination of the host and the source field. Each event with that unique combination will be tagged with the corresponding website name in the field "site". " Go to setup->Websites to create your sites.

lauMarot · ‎08-10-2015

yes of course

Splunk App for Web Analytics: I have no 'site' attribute, so every search with site="*" has no result. How do I fix this?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout