All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk App for Web Analytics: Why am I getting error "The search for datamodel 'Web" failed to parse, cannot get indexes to search"?

brandonf
Path Finder
‎11-23-2015 11:21 PM

Hi

I am getting an error when trying to search the datamodel Web:

The search for datamodel 'Web' failed to parse, cannot get indexes to search

I've checked the search permission using tag=web within the app context and it returns the correct results including the site name. When I check the datamodel settings though under the Web root object. I ran the preview on the constraint tag=web and it returns no results? No sure why it doesn't work - are there permissions that the datamodel uses that are different?

I then created a "test" datamodel with the same constraint and when I ran preview, it does indeed return results.

Splunk 6.3.1 and 1.6.1 of the app.

Regards
Brandon

Reply
1 Solution
Solved! Jump to solution
Solution

brandonf
Path Finder
‎11-26-2015 04:51 AM

Hi J

I solved the problem - turns out there was a blacklist entry in the distsearch.conf that prevented the bin/ directory from being sent with the search bundles. The user_agents.py file wasnt be sync to the indexers and that cause the datamodel to fail.

Thanks for the help

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

brandonf
Path Finder
‎11-26-2015 04:51 AM

Hi J

I solved the problem - turns out there was a blacklist entry in the distsearch.conf that prevented the bin/ directory from being sent with the search bundles. The user_agents.py file wasnt be sync to the indexers and that cause the datamodel to fail.

Thanks for the help

0 Karma
Reply
Solved! Jump to solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎11-24-2015 12:19 AM

Hi Brandon

Can you try and open the data model "web" in the pivot interface and then click "Open in search"?

This will do a pivot search in the search interface which usually shows some error messages if there is any issue.

j

0 Karma
Reply
Solved! Jump to solution

jbjerke_splunk
Splunk Employee
Splunk Employee
‎11-24-2015 02:04 AM

Hi Brandon

I believe that error relates to the KVstore and possibly that the lookup has not been transferred to the indexers correctly. From version 1.6 of the app it uses the KVstore instead of a csv based lookup.

Can you try and replacing the transforms.conf with the one in the "install" folder as per the documentation for Splunk 6.2 compatibility? If this works the problem is with the KVstore.

j

0 Karma
Reply
Solved! Jump to solution

brandonf
Path Finder
‎11-24-2015 01:26 AM

Hi

Here is the error:
[splunk-index1] The search for datamodel 'Web' failed to parse, cannot get indexes to search
[splunk-index3] The search for datamodel 'Web' failed to parse, cannot get indexes to search

Here is the search that ran:
| pivot Web Web count(Web) AS "Count of Web" ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...