I'm new with the Web Analytics App for Splunk, and I have some issues with it. I followed the configuration steps to see the data samples, and I did it without problems. Then, I have indexed data logs from some sites with the sourcetype access_combined and accesscombinedwcookie. Again, I followed the configuration steps, but my first problem appears in the step 2 when I go to the Websites dashboard and the panel Available host and source combinations don't show my sources. At this point, I tried two different ways; the first one, I configure the site typing the source in the field, and the second one I manually add the index in the panel search and with this change, the panel showme my sources. But in both of them, when I finish the configuration and select the site from the dropdown menu of any panel, all of them are empty. Then, I try a search with the eventtype=web-traffic:
and I only get the events from the samples... but if I type the eventtype with the index where I have my data logs, I can see my data:
The app context of the index is the Web Analytics App. I don't understand what's going on... what am I doing wrong?
If @jbjerke_splunk or anyone can helpme, I'll be very greatful.
After a lot of test I found the solution. I can see my data only if I index it in the main index.... In the documentation I can read:
If your data is stored in an index that is not searched by default for your Splunk user, you need to add All non-internal indexes (or the specific index in question) to the Selected indexes in Access controls -> Roles -> [ROLE NAME]
And yes, my user has All non-internal indexes enabled. Even with this, I can't see the data in another indexes... but, only by curiosity, I add the index with my data to the Rol ... and with this, yes I can see my data now.
Conclusion; for me the All non-internal indexes didn't work, and I need to add all the necesary indexes to my Rol.