Archive

Web Intelligence - No Results found...

New Member

Hi there,

I'm currently evaluating Splunk for our environment, and have found the promising looking Web Intelligence app...

However i'm struggling to get it to show up any data...

I've copied several of our apache access logs onto the Splunk host, and indexed the data through the 'Files & Directories' data input method...
I can see the data in the standard search app, however when I try to use Web Intelligence it just shows "No results found"...

Any ideas???

Cheers
Gavin

0 Karma

Path Finder

Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
0 Karma

New Member

Mmm, ok... Based a lot of this on the iis log format then...
Got these in my local/props.conf file:
[F5_SPLUNK_iRULE]
FIELDALIAS-ClientAddress = client_address AS clientip
FIELDALIAS-HTTP Method = http_method AS method
FIELDALIAS-HTTP Status = http_status AS status
FIELDALIAS-Referrer = referrer AS referer
FIELDALIAS-URL = url AS uri
FIELDALIAS-uri_path = url AS uri_path
FIELDALIAS-useragent = user_agent AS useragent

However I'm still not seeing data... I've updated WebIntelligence source to be sourcetype=F5_SPLUNK_iRULE, which shows results when I hit preview...

Any ideas???

Cheers
Gavin

0 Karma

Splunk Employee
Splunk Employee

There is not a definitive list, but by and large the fields conform to the fields extracted from access_combined or access_common Apache logs (clientip, cookie, referer_domain, etc).

0 Karma

New Member

Is there a list of fields that Web Intelligence is looking for?

0 Karma

Splunk Employee
Splunk Employee

Yes, you will want to alias fields similar to how the app does in default/props.conf.

0 Karma

New Member

As an update, I've got decent data running into splunk using the f5 for networks app and associated iRule...

How can I get the data formatted such that Web Intelligence supports it? Is it a case of creating some field alias'?

Cheers
Gav

0 Karma

Splunk Employee
Splunk Employee

Have you gone through the setup workflow for the app (located at /app/webintelligence/setup)? Using this, you can enter in the correct sources/sourcetypes for your access logs as well as other filters you may want to set, and then use the Preview buttons to ensure that your setting are correct.

0 Karma

Splunk Employee
Splunk Employee

Can you search, any 5 minute time range in the day before to see if you see charts showing up on dashboards? It's not an issue of realtime vs not. Basically, any timerange that exceeds 5 minutes will search summary indexes instead of the raw data.

0 Karma

New Member

Data I use isn't realtime. Using a couple of acceslog from the day before in the 01u00 to 01u00 timeframe.

0 Karma

Splunk Employee
Splunk Employee

Do you see any data if you search for a timerange that's less than 5 minutes? For most of the views, any timerange that's over 5 minutes searches against summary indexes. A simple way to sanity check that your app is configured correctly is to try and search for a timerange when you know there is data and that spans less than 5 minutes.

0 Karma

New Member

the views relying on the summarized data won't show for me to, even after running the backfill_all scripts. Preview option is showing data as it should be.

0 Karma

Splunk Employee
Splunk Employee

many of the views in web intelligence rely on summarized data. The 'stats count' is a bit strange. Did you follow the directions to summarize your data? Do you see anything in the summary indexes?

0 Karma

Explorer

I'm having the same issues. I'm quite curious to know what's going on, and eager for a solution (the app looks so interesting). I'm new to splunk but it seems like the search can't be right - like it's composed incorrectly. For instance why would the subsearch begin with 'stats count' ... shouldn't that be the target of a search?

0 Karma

Splunk Employee
Splunk Employee

It seems like you are trying to access views that rely on summarized data. After you set up the app, did you follow the instructions for backfilling the summary indexes?

0 Karma

New Member

The search being run is:
" search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri "

0 Karma

Splunk Employee
Splunk Employee

If you hover your mouse next to "No results found", you should see a "More Info..." link. If you click on this link, what does the search that is being run look like?

0 Karma

New Member

They all show "No results found" unfortunately... I've set the date range to "Today", as the access log was imported for today...

0 Karma

Splunk Employee
Splunk Employee

Which particular view is showing "No Results Found"? Are you sure you aren't using a real-time window or other time range that is outside the range of your data?

0 Karma

New Member

Yeh, ran through the setup workflow at the point of installing the app...

The Sourcetype is set to "sourcetype="access_c*"". Previewing this shows data for the past day.

0 Karma