Splunk Search

Why is everything "No results found" in Web Intelligence Beta?

Path Finder

Am trying to index web logs from an intranet site, so I did the setup for Web Intelligence as follows:

Filters: I had a hard time making these blank. Since this is an intranet site I don't want to filter out internal addresses or referring domains, so I sort of cheated, entered "" as the IP filter, "*.example.com" as referring domain, etc. and excluded "/dev" from files.

Next, I ran the backfill script and after a couple of days it was complete as well. I did the sourcetype search and edited the CSV file.

I can see that the data was indexed, that the access_c* filter worked, but no matter where I go in the Web Intelligence app, I get "No results found."

What can I check here?


change the time range to All time

in beta by default the results shown are past 24 hours.

0 Karma


Check your Apache logging format. The jobs running behind the tables require the "combined" format. You may be in "common" format.

The jobs are using search filters based on referrer or client UI. This causes an empty result set if your logs are in "common" format.

A simple way to test this is to try comparing the following searches in the web intelligence search window: "eventtype=pageview eventtype=ua-browser-*" vs. "eventtype=pageview". If you have no results on the first one but plenty of results for the second one, then the jobs I'm talking about are likely failing with no results.

Path Finder

these are indexes thus you should use the correct indexes.
i have changed the above indexes i do get some results. however i have not been able to similarly put the date in different indexes based on time range which seems to be the case here.

0 Karma

Path Finder

If I go to the dashboard and select "Today" as a time reference, URI visits for example shows this:

search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri

Previewing for "access_c*" returns results, none of the other filters do but then again I specifically selected them so I wouldn't filter out any intranet traffic. I can tune them so they match all but that's not what I want to do.

0 Karma

Splunk Employee
Splunk Employee

See my follow-up question below.

0 Karma

Path Finder

Thanks. I sort of cheated as we're 10.*/8 and such, but leaving them blank would be preferred. Really though, I'd just as soon have valid data coming from this app and right now I don't.

0 Karma

Splunk Employee
Splunk Employee

If you hover your mouse next to "No results found", Splunk should present a "More Info..." link. What is the search that you see in the resultant search profiler popup?

Similarly, what happens on the setup page when you click on the "Preview" links?

0 Karma

Splunk Employee
Splunk Employee

You make a good point regarding the need for an option to "leave blank" one or more of the setup items.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...