Hi chaoservices Double check the troubleshooting section on the documentation page. I suspect the DM is accelerate but contains 0 Events, hence the red check. In order for the data model to get data, you need to make sure the events are tagged with "web", this will happen automatically if you are using the default sourcetypes (iis or access_combined). Another issue could be that certain fields are not extracted correctly like the "file" field which is important to determine the type of request in the log file. Check these things and let me know how you get along. j ... View more

Hi Prateedshetty No, just follow the steps under Documentation and the lookup will be created for you. That lookup specifically is created during the Site setup phase. j ... View more

Update on the previous answer. The app uses the json version of the yaml file. It is called regexes.json and can be found in the folder SplunkAppForWebAnalytics/bin/ua_parser You can convert the regexes.yaml file found here: https://github.com/ua-parser/uap-core/blob/master/regexes.yaml into json format and then copy it to that folder to update the the signatures for the user agents. I used this service to make the conversion: http://convertjson.com/yaml-to-json.htm j ... View more

Hi Download the latest version of the parser from there: https://github.com/ua-parser/uap-python Install it locally and then copy the file "regexes.yaml" that is created after install to the SplunkAppForWebAnalytics/bin/ua_parser folder. There is also a copy of this file on the github page that you can use directly: https://github.com/ua-parser/uap-core/blob/master/regexes.yaml Let me know how you get along. j ... View more

Hi The app comes with the rest_ta preconfigured. If you want to upgrade to the latest version of the rest_ta (or just download manually from Splunkbase) you need to merge the files "rest-ta/bin/responsehandlers.py" which contains the custom Instagram responsehandler (InstagramUserFeedEventHandler) that I wrote for this input. Can you check to make sure that you have that piece of Instagram specific code I wrote in your app? For generic troubleshooting of the rest TA I regularly use this search: index=_* rest sourcetype=splunkd component!=SearchParser| table _time component log_level message Let me know how you get along. j ... View more

Yes Take a look at this docs page: http://docs.splunk.com/Documentation/ES/4.7.4/Admin/Customizenotables#Create_and_manage_notable_event_suppressions j ... View more

Hi The workaround is to edit the Datamodel "Web" and remove the eval field dmReload. It is not being used in this version of Splunk and the app. j ... View more

Hi I believe the problem is that the field extraction is not working for your log type. The app identifies what is a pageview (html, php etc.) vs a non-pageview (jpg, css, js). If that field is not extracted it will not work correctly. Check using the field extractor or by manually doing a regex to get that field extracted correctly into the http_request field. j ... View more

Hi Robbie1194 You can also run a search like this. This would display a list of forwarders that haven’t reported in for a 2 hour window at any point. You can adjust accordingly to suit your needs. index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | table sourceHost _time | sort sourceHost, -_time | reverse | streamstats window=1 current=f global=false last(_time) as previous_time by sourceHost | eval d=_time-previous_time | fields - previous_time | search d>7200 ... View more

Hi jgauthier The apache:access sourcetype does not extract all the fields you require for this app out of the box. Make sure that all field extractions that are currently mapped to sourcetype access_combined are also mapped to apache:access. You can do this by making a copy of props.conf in the "default" folder into the "local" folder and edit the section with field extractions linked to "access"combined"/ Let me know how you get along. johan ... View more

Hi Mike To help you I need some more details. What is the web server you are using? What is the sourcetype in Splunk for this data? Do you see the status field in the raw event? For IIS the sourcetype should be "iis", for Apache, the sourcetype should be any of the "access_combined" variants. If the status field is in the raw data and you are using the correct sourcetype you need to create a field extraction for the status field. This field should be called "http_status" and you should be able to extract this from your logs using the interactive field extractor link text Let me know how you get along. j ... View more

Hi Imjusttesting In line with the other respondents to this question. The Splunk App for Web Analytics does not handle the actual data input configuration so there is no documentation in the app on how to do this. . For web server data you will most likely use a file monitoring input to monitor the log files generated by the web server. Once that is setup you can start using the app. Please follow the numerous guides and docs out there on how to get data into Splunk. If needed, the app does contain some sample data you can look at. There are steps in the installation documentation on how to enable the sample data input. j ... View more

Hi Lazarix Can you double check that the field http_user_agent is present in the events where the browser is in compatibility mode? Might be the issue. I believe you should be able to get around it by updating the the ua-parser. you can get the latest version from github from source: https://github.com/ua-parser Let me know how you get along. j ... View more

Ok, thats's good. The session generation is working. Can you troubleshoot the data model acceleration? Have a look at the Data Model Audit page and look for error messages. ... View more

Can you check inside the session lookup file that you have session keys in there for the time period you expect? | inputlookup WA_sessions j ... View more

Your problem description is not the same as the original post. The original post did not get the lookup working, but yours do. Can you check the documentation troubleshooting steps or from other Splunk Answers posts? As for the user field, the app generates a hash value for the user as this usually not present in the web logs. To use your user name field, disable the "Calculated field" user under Settings->Fields or by modifying the props.conf file in the app directory. Look for the EVAL-user... line. j ... View more

Hi slr The scheduled search should pick up the new data even if it is from yesterday but the data model acceleration will have already run and it will not backfill. As the app was never designed for batch file delivery I have not tested this scenario before. In this case I also believe you need to modify the schedule for the DM acceleration. This is done by modifying the file datamodels.conf which can be found here: SPLUNK_HOME/etc/apps/SplunkAppForWebAnalytics/local/datamodels.conf [Web] acceleration = 1 acceleration.cron_schedule = 2,12,22,32,42,52 * * * * acceleration.cron_schedule = 0 21 * * * I commented out the original schedule (every 10 minutes) to now run every day at 9pm. Change the schedule to about one hour after your batch file is dropped in. Can you try this? j ... View more

In step 3 - is the data you added within the last 24hours? The scheduled search is looking for the last 20min of indexed data and the last 24hours in total window regardless. ... View more

The search "Generate user sessions - scheduled" is not the same as the search "Generate user sessions". The big non-scheduled search needs to complete first. Then start data model acceleration. If you have disabled the "Generate user sessions - scheduled", re-enable it after the "Generate user sessions" has completed. j ... View more

It seems Instagram has made changes to their API which causes this app to not function properly. https://www.instagram.com/developer/changelog/ Any takers on re-writing the REST api modular input to work with these changes? j ... View more