- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why can't I see my data in the Web Analytic App?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there!
I'm new with the Web Analytics App for Splunk, and I have some issues with it. I followed the configuration steps to see the data samples, and I did it without problems. Then, I have indexed data logs from some sites with the sourcetype access_combined and access_combined_wcookie. Again, I followed the configuration steps, but my first problem appears in the step 2 when I go to the Websites dashboard and the panel Available host and source combinations don't show my sources. At this point, I tried two different ways; the first one, I configure the site typing the source in the field, and the second one I manually add the index in the panel search and with this change, the panel showme my sources. But in both of them, when I finish the configuration and select the site from the dropdown menu of any panel, all of them are empty. Then, I try a search with the eventtype=web-traffic:
eventtype=web-traffic
and I only get the events from the samples... but if I type the eventtype with the index where I have my data logs, I can see my data:
index=myindex eventtype=web-traffic
The app context of the index is the Web Analytics App. I don't understand what's going on... what am I doing wrong?
If @jbjerke_splunk or anyone can helpme, I'll be very greatful.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a lot of test I found the solution. I can see my data only if I index it in the main index.... In the documentation I can read:
If your data is stored in an index that is not searched by default for your Splunk user, you need to add All non-internal indexes (or the specific index in question) to the Selected indexes in Access controls -> Roles -> [ROLE NAME]
And yes, my user has All non-internal indexes enabled. Even with this, I can't see the data in another indexes... but, only by curiosity, I add the index with my data to the Rol ... and with this, yes I can see my data now.
Conclusion; for me the All non-internal indexes didn't work, and I need to add all the necesary indexes to my Rol.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a lot of test I found the solution. I can see my data only if I index it in the main index.... In the documentation I can read:
If your data is stored in an index that is not searched by default for your Splunk user, you need to add All non-internal indexes (or the specific index in question) to the Selected indexes in Access controls -> Roles -> [ROLE NAME]
And yes, my user has All non-internal indexes enabled. Even with this, I can't see the data in another indexes... but, only by curiosity, I add the index with my data to the Rol ... and with this, yes I can see my data now.
Conclusion; for me the All non-internal indexes didn't work, and I need to add all the necesary indexes to my Rol.
Regards
Starting With Observability: OpenTelemetry Best Practices
.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas
Streamline Data Ingestion With Deployment Server Essentials
