All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Web Analytics: I have no 'site' attribute, so every search with site="*" has no result. How do I fix this?

lauMarot
Path Finder
‎08-10-2015 08:38 AM

Hello,

Having problems setting up Splunk App for Web Analytics.

Trying to test it on a small web site running Apache server on 1 host and standard login format. I have no 'site' attribute ... so every search with a site="*" has no result.

sourcetype is access_combined.

Any advice ?

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎05-29-2019 02:38 AM

Hi

New version of the app is now live which hopefully solve this issue.
https://splunkbase.splunk.com/app/2699

v 2.2.0
- Added an option to use a different data model name than "Web". This caused conflicts with the default CIM datamodel also called Web.
- Made changes to Sites setup dashboard to make it easier.
- Migrated website setup settings to the KV store.
- Added better support for IIS. Now supports ms:iis:auto and ms:iis:default sourcetypes which comes from the official IIS Add-on.
- Updated User agent string parsing to latest version
- Various bug fixes

0 Karma
Reply

fangrisani
Engager
‎10-12-2018 03:16 AM

Hi guys,
I'm new to splunk and WebAnalytics and I have a similar problem. tag=web from the app context search return data but I can't see the field host.
I suppose that's the reason for the field site not being created.
Any idea why i can see the field host in the search app for sourcetype=iis but not on the context app for tag=web?

Best Regards

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-03-2019 02:24 AM

Hi

IIS data can overwrite the host field based on content of the data. Make a search for tag=web for and find out what host field you see and then use this host field instead of the one you see in the setup page.

good luck

j

0 Karma
Reply

lauMarot
Path Finder
‎08-13-2015 01:15 AM
  • uninstall and then install once again
  • configure exactly as detailed in doc (website config, then run lookups and finally add data model acceleration). I had previously a warning message in website config that I hadn't noticed

=> works fine now

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎08-10-2015 11:46 PM

In the context of the app, try and do the search for:

 tag=web

If this is not returning any results I suspect you are not seeing the data because it is stored in a non-default index and the user in Splunk does not search in non-default indexes automatically.

You need to add All non-internal indexes to the Selected indexes in Access controls » Roles » [ROLE NAME]
Alternatively you can add just the index where the apache log files are stored.

There is a thread about this here:
http://answers.splunk.com/answers/270500/how-do-i-get-data-into-splunk-app-for-web-analytic.html

If you are seeing data for the search tag=web but the "site" field is not populated, something must be wrong in the site setup stage. Make sure that the exact host and source combination for your data exists in the setup. You can use wildcards by using * for either host or source.

0 Karma
Reply

geh
New Member
‎04-10-2021 03:00 PM

Hello,

i ran into the same problem and the search for
"tag=web" or "eventtype=web-traffic" shows me a lot of results.

But if i append "site=*" there no more results.

Can you please tell me, what kind of splunk-object is "site"?
Is it a Macro, a search-time variable, an lookup-outcome.
What is the splunk-technique behind the search-value "site"?

thank you & best regards
Gerhard

 

0 Karma
Reply

lauMarot
Path Finder
‎08-11-2015 01:17 AM

by default, logs are indexed in default index ('main' index in this case)

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎08-11-2015 04:15 AM

Can you detail the host and source fields for your data when you search for tag=web ? Can you also then show what you have filled out in the site setup page? I will try and help you configure this if I get the details.

j

0 Karma
Reply

lauMarot
Path Finder
‎08-11-2015 01:16 AM

i've deleted the application and installed it once again. Now i've got data for real-time tab but nothing in tabs relying in tstats / summaries even if I've set up acceleration on web model.

|tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session,Web.ua_family _time span=1d | timechart span=1d dc(Web.http_session) by Web.ua_family | rename Web.ua_family AS "Browser "
=> 0 event matching !

and if I cut the query to make it larger :

|tstats summariesonly=t prestats=t dc(Web.http_session) FROM datamodel=Web
=> 2 events

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎08-10-2015 11:00 AM

Did you go through the setup? "Websites are configured from a combination of the host and the source field. Each event with that unique combination will be tagged with the corresponding website name in the field "site". " Go to setup->Websites to create your sites.

0 Karma
Reply

lauMarot
Path Finder
‎08-10-2015 12:14 PM

yes of course

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...
Top