I'm currently running the latest version of the Web Analytics app. For some reason, the lookups do not populate user session or pages data. The validation tool within the documentation page are showing that the tagging is correct, the website configuration is correct, and the data model is accelerated. I've modified all the permissions on the app to be available to everyone and all apps, and changed the indexes searched by default to my role. So I'm fairly certain it's not a permissions issue at this point.
Does anyone know why it's not working? Is there a certain level of logging that may need to be enabled on the web server itself? I've gone into the actual data model itself, and tried previewing the lookups and they still turn up empty even though the raw data is there.
Make sure that when you search for
you get the field eventtype with values of pageview
The app excludes non-pageviews from the datamodel as these are not used for web analytics.
If you are not getting any pageview events look into your field extractions to make sure they are working. Specifically, I have seen some issues with the field "file" not being extracted properly which has caused this issue.
You should also make sure that you get results when you run the "Generate user sessions" lookup and let this complete before you enable data model acceleration.
I have the same problem. tag=web is showing pageview event types and I get results when running "Generate user sessions"
Also: I have authenticated users in my logs but the Splunk user field is showing what seems to be a hash value not my user ID. Any suggestion?
Your problem description is not the same as the original post. The original post did not get the lookup working, but yours do. Can you check the documentation troubleshooting steps or from other Splunk Answers posts?
As for the user field, the app generates a hash value for the user as this usually not present in the web logs. To use your user name field, disable the "Calculated field" user under Settings->Fields or by modifying the props.conf file in the app directory. Look for the EVAL-user... line.
"Calculated field" user under Settings->Fields doesn't allow deletion but I modified the conf file as suggested and, after restart, that's done the trick ... thanks.
I haven't found a Splunk Answers post to help with the missing dashboard results (apart from Real-Time. I will look for the troubleshooting info in the documentation.