All Apps and Add-ons

Splunk App for Web Analytics: I've imported data and can see it in the data summary, but why do dashboards show "No results found"?

kc5ods
Explorer

I've imported my data, I've done my generate pages and generate user sessions. I can see everything in the data summary, but when I go to behaviour or any of the dashboards, I get "No results found". What the heck am I doing wrong? so frustrating!

1 Solution

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi kc50ds

You need to match your data to a website as the app works in a multi site environment. On the site setup page you should mark up any host and source combination to a site using the form. As you can use wildcards you can match up all your host and source combinations on one line even if you have many source files.

site========= host===source
roadrunner.com server1 /var/log/httpd/access_log
roadrunner.com server2 /var/log/httpd/access_log

or something like this:

site========= host===source
roadrunner.com server* /var/log/httpd/*

The site setup page instructions above is detailed at the top of the page and in the documentation.

Websites are configured from a combination of the host and the source field. Each event with that unique combination will be tagged with the corresponding website name in the field "site". The "site" fields should match your domain name, i.e. "www.mydomain.com". Click the tables below to prefill the setup form. You can use wildcards (*) in the Source field to select multiple files matching a pattern. The data in the setup form will be stored in the lookup file called WA_settings.csv

The dashboards are powered by a datamodel so initially it will take a while for anything to show. Once data keeps coming in you should see an approximate delay of max 10minutes for all dashboards except the realtime one. The default setting for the data model acceleration is 3 months. You can set it to "All time" - that way you should see more than 90 days. This is also written on the documentation page.

I hope this helps.

j

View solution in original post

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi kc50ds

You need to match your data to a website as the app works in a multi site environment. On the site setup page you should mark up any host and source combination to a site using the form. As you can use wildcards you can match up all your host and source combinations on one line even if you have many source files.

site========= host===source
roadrunner.com server1 /var/log/httpd/access_log
roadrunner.com server2 /var/log/httpd/access_log

or something like this:

site========= host===source
roadrunner.com server* /var/log/httpd/*

The site setup page instructions above is detailed at the top of the page and in the documentation.

Websites are configured from a combination of the host and the source field. Each event with that unique combination will be tagged with the corresponding website name in the field "site". The "site" fields should match your domain name, i.e. "www.mydomain.com". Click the tables below to prefill the setup form. You can use wildcards (*) in the Source field to select multiple files matching a pattern. The data in the setup form will be stored in the lookup file called WA_settings.csv

The dashboards are powered by a datamodel so initially it will take a while for anything to show. Once data keeps coming in you should see an approximate delay of max 10minutes for all dashboards except the realtime one. The default setting for the data model acceleration is 3 months. You can set it to "All time" - that way you should see more than 90 days. This is also written on the documentation page.

I hope this helps.

j

kc5ods
Explorer

Jbjerke, after i wrote of my latest troubles i began to think you were right at some point and i missed something. i went back over my logfile and for some reason my IIS quit writing one of the fields that splunk/SAFWA needed. data was there, but it was not encoded properly. i think my problems are solved now, and many many thanks for your help!

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi kc50ds

Can you check that your scheduled searches are running? These are creating lookups that are then fed into the datamodel that produces the data for the dashboards.

If the scheduled searches are running, can you also check that the datamodel is enabled?

There is a new version of the app - 1.41 - that has a vastly superior documentation and setup page. After upgrading, go to the Documentation page and check that all checkboxes are green. That page also includes trouble shooting steps.

https://splunkbase.splunk.com/app/2699/

j

0 Karma

kc5ods
Explorer

thanks, i had this part worked out. but it's not updating now; it stopped reading anything past 8pm on monday, august 10. there's been lots of traffic of course since then. what do i do now?

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

To troubleshoot this, do the same as before.

Run a search for this:
tag=web

If you don't get results that are after 8pm on monday, august 10 the data inputs are configured in-correctly. This is outside the scope of the app and you need to sort that out by modifying the data inputs.

If you do see data after 8pm on monday, august 10 you might have the sites mis-configured.
Run a search for this:
tag=web site=*

If you don't see data after 8pm on monday, august 10 you need to configure your sites properly. The source log files might have rolled over to a new file that is not being picked up by the host and source pattern? There is a guide on the site page that should help you. You can see all host and source combinations currently in the data and if you have a site configured to match this.

j

0 Karma

kc5ods
Explorer

my website is an ip address 64.x.x.x - and after a certain day there's no more data shown in the behavior etc tab. a search for tag=web shows the data there, but i cant get it to "analyze" ...i.e wont show in real time tab, or behavior tab, or audience tab, etc. the "traffic center" shows pageviews/non pageviews up to today (09/04/15) though so i have no idea what i'm doing wrong.

0 Karma

kc5ods
Explorer

here's a screenshot. the top part is when i first enter the app. the other part is the behavior tab. the data is there, but the app isnt doing anything with it. http://postimg.org/image/64wd0h8bz/

0 Karma

kc5ods
Explorer

i have since got data to appear, God only knows how. its like it took it awhile to show up. but it's not showing real time and has stopped showing any new data (even though the logfile has been updated since the time of the last data it shows) it's also not differentiating mobile/desktop clients, and some fields are still "no results found." i can see the "event count" increasing in the indexes, but nothing new is appearing in the web analytics app.

0 Karma

kc5ods
Explorer

i also discovered that i had to use a single continuous log file, as apparently it's not smart enough to import all my daily log files.

0 Karma

kc5ods
Explorer

and it is not able to, in the "analytics center" use dimensions "browser" "mobile device" "OS" - but "channel" works

0 Karma

kc5ods
Explorer

so, update. i imported the entire log folder, but it appears i have to match a website to a source, so i need one big logfile instead of my daily logfiles. would have been nice to have that as an explanation. but now it will only show 90 days worth of activity (approximately) at one time. what gives?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...