All Apps and Add-ons

Web Intelligence - No Results found...

fatmcgav
New Member

Hi there,

I'm currently evaluating Splunk for our environment, and have found the promising looking Web Intelligence app...

However i'm struggling to get it to show up any data...

I've copied several of our apache access logs onto the Splunk host, and indexed the data through the 'Files & Directories' data input method...
I can see the data in the standard search app, however when I try to use Web Intelligence it just shows "No results found"...

Any ideas???

Cheers
Gavin

0 Karma

MartinHarper
Path Finder

Here is a list of field aliases that may be needed, taken from [access-extractions] in default/transforms.conf

[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)  
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
0 Karma

fatmcgav
New Member

Mmm, ok... Based a lot of this on the iis log format then...
Got these in my local/props.conf file:
[F5_SPLUNK_iRULE]
FIELDALIAS-ClientAddress = client_address AS clientip
FIELDALIAS-HTTP Method = http_method AS method
FIELDALIAS-HTTP Status = http_status AS status
FIELDALIAS-Referrer = referrer AS referer
FIELDALIAS-URL = url AS uri
FIELDALIAS-uri_path = url AS uri_path
FIELDALIAS-useragent = user_agent AS useragent

However I'm still not seeing data... I've updated WebIntelligence source to be sourcetype=F5_SPLUNK_iRULE, which shows results when I hit preview...

Any ideas???

Cheers
Gavin

0 Karma

araitz
Splunk Employee
Splunk Employee

There is not a definitive list, but by and large the fields conform to the fields extracted from access_combined or access_common Apache logs (clientip, cookie, referer_domain, etc).

0 Karma

fatmcgav
New Member

Is there a list of fields that Web Intelligence is looking for?

0 Karma

araitz
Splunk Employee
Splunk Employee

Yes, you will want to alias fields similar to how the app does in default/props.conf.

0 Karma

fatmcgav
New Member

As an update, I've got decent data running into splunk using the f5 for networks app and associated iRule...

How can I get the data formatted such that Web Intelligence supports it? Is it a case of creating some field alias'?

Cheers
Gav

0 Karma

araitz
Splunk Employee
Splunk Employee

Have you gone through the setup workflow for the app (located at /app/webintelligence/setup)? Using this, you can enter in the correct sources/sourcetypes for your access logs as well as other filters you may want to set, and then use the Preview buttons to ensure that your setting are correct.

0 Karma

Archana
Splunk Employee
Splunk Employee

Can you search, any 5 minute time range in the day before to see if you see charts showing up on dashboards? It's not an issue of realtime vs not. Basically, any timerange that exceeds 5 minutes will search summary indexes instead of the raw data.

0 Karma

RobertWi
New Member

Data I use isn't realtime. Using a couple of acceslog from the day before in the 01u00 to 01u00 timeframe.

0 Karma

Archana
Splunk Employee
Splunk Employee

Do you see any data if you search for a timerange that's less than 5 minutes? For most of the views, any timerange that's over 5 minutes searches against summary indexes. A simple way to sanity check that your app is configured correctly is to try and search for a timerange when you know there is data and that spans less than 5 minutes.

0 Karma

RobertWi
New Member

the views relying on the summarized data won't show for me to, even after running the backfill_all scripts. Preview option is showing data as it should be.

0 Karma

araitz
Splunk Employee
Splunk Employee

many of the views in web intelligence rely on summarized data. The 'stats count' is a bit strange. Did you follow the directions to summarize your data? Do you see anything in the summary indexes?

0 Karma

chiangs
Explorer

I'm having the same issues. I'm quite curious to know what's going on, and eager for a solution (the app looks so interesting). I'm new to splunk but it seems like the search can't be right - like it's composed incorrectly. For instance why would the subsearch begin with 'stats count' ... shouldn't that be the target of a search?

0 Karma

araitz
Splunk Employee
Splunk Employee

It seems like you are trying to access views that rely on summarized data. After you set up the app, did you follow the instructions for backfilling the summary indexes?

0 Karma

fatmcgav
New Member

The search being run is:
" search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri "

0 Karma

araitz
Splunk Employee
Splunk Employee

If you hover your mouse next to "No results found", you should see a "More Info..." link. If you click on this link, what does the search that is being run look like?

0 Karma

fatmcgav
New Member

They all show "No results found" unfortunately... I've set the date range to "Today", as the access log was imported for today...

0 Karma

araitz
Splunk Employee
Splunk Employee

Which particular view is showing "No Results Found"? Are you sure you aren't using a real-time window or other time range that is outside the range of your data?

0 Karma

fatmcgav
New Member

Yeh, ran through the setup workflow at the point of installing the app...

The Sourcetype is set to "sourcetype="access_c*"". Previewing this shows data for the past day.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...