All Apps and Add-ons

Splunk App for Web Analytics: Why am I getting error "The search for datamodel 'Web" failed to parse, cannot get indexes to search"?

brandonf
Path Finder

Hi

I am getting an error when trying to search the datamodel Web:

The search for datamodel 'Web' failed to parse, cannot get indexes to search 

I've checked the search permission using tag=web within the app context and it returns the correct results including the site name. When I check the datamodel settings though under the Web root object. I ran the preview on the constraint tag=web and it returns no results? No sure why it doesn't work - are there permissions that the datamodel uses that are different?

I then created a "test" datamodel with the same constraint and when I ran preview, it does indeed return results.

Splunk 6.3.1 and 1.6.1 of the app.

Regards
Brandon

1 Solution

brandonf
Path Finder

Hi J

I solved the problem - turns out there was a blacklist entry in the distsearch.conf that prevented the bin/ directory from being sent with the search bundles. The user_agents.py file wasnt be sync to the indexers and that cause the datamodel to fail.

Thanks for the help

View solution in original post

0 Karma

brandonf
Path Finder

Hi J

I solved the problem - turns out there was a blacklist entry in the distsearch.conf that prevented the bin/ directory from being sent with the search bundles. The user_agents.py file wasnt be sync to the indexers and that cause the datamodel to fail.

Thanks for the help

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi Brandon

Can you try and open the data model "web" in the pivot interface and then click "Open in search"?

This will do a pivot search in the search interface which usually shows some error messages if there is any issue.

j

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi Brandon

I believe that error relates to the KVstore and possibly that the lookup has not been transferred to the indexers correctly. From version 1.6 of the app it uses the KVstore instead of a csv based lookup.

Can you try and replacing the transforms.conf with the one in the "install" folder as per the documentation for Splunk 6.2 compatibility? If this works the problem is with the KVstore.

j

0 Karma

brandonf
Path Finder

Hi

Here is the error:
[splunk-index1] The search for datamodel 'Web' failed to parse, cannot get indexes to search
[splunk-index3] The search for datamodel 'Web' failed to parse, cannot get indexes to search

Here is the search that ran:
| pivot Web Web count(Web) AS "Count of Web" ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...