All Apps and Add-ons

Why am I getting an error on dashboards when ingesting data in Splunk App for Web Analytics?

chaoservices
Explorer

Hi all,
I've got data ingesting from a couple of servers, and setup went okay with the real-time returning results but something seems to be wrong with my data model acceleration since no other dashboard has content.

The "Data Model Acceleration check" returns returns red exclamations despite saying it is 100% and the Data Model Audit is equally affirming.

Nothing is jumping out at me from the Search job inspector, so what could be going wrong here and how to I get the remaining features working?

0 Karma
1 Solution

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi

Can you check if there is an eval function in the Web datamodel called “dmReload”? In some cases this field has been known to prevent the DM from accelerating and the tstats from running. A workaround is to simply delete this field and eval function altogether from the Web datamodel in the app.

Try this and then manually triggering a DM rebuild.

j

View solution in original post

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi

Can you check if there is an eval function in the Web datamodel called “dmReload”? In some cases this field has been known to prevent the DM from accelerating and the tstats from running. A workaround is to simply delete this field and eval function altogether from the Web datamodel in the app.

Try this and then manually triggering a DM rebuild.

j

0 Karma

chaoservices
Explorer

That did it! Thanks.

I'm not clear what that function is supposed to do...

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi chaoservices

Double check the troubleshooting section on the documentation page. I suspect the DM is accelerate but contains 0 Events, hence the red check.

In order for the data model to get data, you need to make sure the events are tagged with "web", this will happen automatically if you are using the default sourcetypes (iis or access_combined). Another issue could be that certain fields are not extracted correctly like the "file" field which is important to determine the type of request in the log file.

Check these things and let me know how you get along.

j

0 Karma

chaoservices
Explorer

Good points. I noticed that the Splunk CIM also had a DM Web and when I disabled that App the Data Model Acceleration check table became clearer (Acceleration, 1, Status, 100%, Events, 0). So I ran the lookups again and rebuilt the DM Web but no dice.

tag=web is returning results with clean and discrete fields (file looks like a list of files 🙂 and the DM seems to contain data (it has size and buckets) but I still get the error: Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.

Perhaps something is wrong with the Knowledge Objects getting distributed to the indexers?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...