Re: Web Intelligence - No Results found...

fatmcgav · ‎10-14-2011

Hi there,

I'm currently evaluating Splunk for our environment, and have found the promising looking Web Intelligence app...

However i'm struggling to get it to show up any data...

I've copied several of our apache access logs onto the Splunk host, and indexed the data through the 'Files & Directories' data input method...
I can see the data in the standard search app, however when I try to use Web Intelligence it just shows "No results found"...

Any ideas???

Cheers
Gavin

MartinHarper · ‎12-13-2012

Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"

fatmcgav · ‎11-11-2011

Mmm, ok... Based a lot of this on the iis log format then...
Got these in my local/props.conf file:
[F5_SPLUNK_iRULE]
FIELDALIAS-ClientAddress = client_address AS clientip
FIELDALIAS-HTTP Method = http_method AS method
FIELDALIAS-HTTP Status = http_status AS status
FIELDALIAS-Referrer = referrer AS referer
FIELDALIAS-URL = url AS uri
FIELDALIAS-uri_path = url AS uri_path
FIELDALIAS-useragent = user_agent AS useragent

However I'm still not seeing data... I've updated WebIntelligence source to be sourcetype=F5_SPLUNK_iRULE, which shows results when I hit preview...

Any ideas???

Cheers
Gavin

araitz · ‎11-09-2011

There is not a definitive list, but by and large the fields conform to the fields extracted from access_combined or access_common Apache logs (clientip, cookie, referer_domain, etc).

fatmcgav · ‎11-09-2011

Is there a list of fields that Web Intelligence is looking for?

araitz · ‎11-08-2011

Yes, you will want to alias fields similar to how the app does in default/props.conf.

fatmcgav · ‎11-08-2011

As an update, I've got decent data running into splunk using the f5 for networks app and associated iRule...

How can I get the data formatted such that Web Intelligence supports it? Is it a case of creating some field alias'?

Cheers
Gav

araitz · ‎10-14-2011

Have you gone through the setup workflow for the app (located at /app/webintelligence/setup)? Using this, you can enter in the correct sources/sourcetypes for your access logs as well as other filters you may want to set, and then use the Preview buttons to ensure that your setting are correct.

Archana · ‎11-11-2011

Can you search, any 5 minute time range in the day before to see if you see charts showing up on dashboards? It's not an issue of realtime vs not. Basically, any timerange that exceeds 5 minutes will search summary indexes instead of the raw data.

RobertWi · ‎11-09-2011

Data I use isn't realtime. Using a couple of acceslog from the day before in the 01u00 to 01u00 timeframe.

Archana · ‎11-08-2011

Do you see any data if you search for a timerange that's less than 5 minutes? For most of the views, any timerange that's over 5 minutes searches against summary indexes. A simple way to sanity check that your app is configured correctly is to try and search for a timerange when you know there is data and that spans less than 5 minutes.

RobertWi · ‎11-08-2011

the views relying on the summarized data won't show for me to, even after running the backfill_all scripts. Preview option is showing data as it should be.

araitz · ‎10-27-2011

many of the views in web intelligence rely on summarized data. The 'stats count' is a bit strange. Did you follow the directions to summarize your data? Do you see anything in the summary indexes?

chiangs · ‎10-27-2011

I'm having the same issues. I'm quite curious to know what's going on, and eager for a solution (the app looks so interesting). I'm new to splunk but it seems like the search can't be right - like it's composed incorrectly. For instance why would the subsearch begin with 'stats count' ... shouldn't that be the target of a search?

araitz · ‎10-17-2011

It seems like you are trying to access views that rely on summarized data. After you set up the app, did you follow the instructions for backfilling the summary indexes?

fatmcgav · ‎10-17-2011

The search being run is:
" search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri "

araitz · ‎10-14-2011

If you hover your mouse next to "No results found", you should see a "More Info..." link. If you click on this link, what does the search that is being run look like?

fatmcgav · ‎10-14-2011

They all show "No results found" unfortunately... I've set the date range to "Today", as the access log was imported for today...

araitz · ‎10-14-2011

Which particular view is showing "No Results Found"? Are you sure you aren't using a real-time window or other time range that is outside the range of your data?

fatmcgav · ‎10-14-2011

Yeh, ran through the setup workflow at the point of installing the app...

The Sourcetype is set to "sourcetype="access_c*"". Previewing this shows data for the past day.

Web Intelligence - No Results found...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...