Am trying to index web logs from an intranet site, so I did the setup for Web Intelligence as follows:
Filters: I had a hard time making these blank. Since this is an intranet site I don't want to filter out internal addresses or referring domains, so I sort of cheated, entered "192.168.1.1/32" as the IP filter, "*.example.com" as referring domain, etc. and excluded "/dev" from files.
Next, I ran the backfill script and after a couple of days it was complete as well. I did the sourcetype search and edited the CSV file.
I can see that the data was indexed, that the access_c* filter worked, but no matter where I go in the Web Intelligence app, I get "No results found."
What can I check here?
Check your Apache logging format. The jobs running behind the tables require the "combined" format. You may be in "common" format.
The jobs are using search filters based on referrer or client UI. This causes an empty result set if your logs are in "common" format.
A simple way to test this is to try comparing the following searches in the web intelligence search window: "eventtype=pageview eventtype=ua-browser-*" vs. "eventtype=pageview". If you have no results on the first one but plenty of results for the second one, then the jobs I'm talking about are likely failing with no results.
these are indexes thus you should use the correct indexes.
i have changed the above indexes i do get some results. however i have not been able to similarly put the date in different indexes based on time range which seems to be the case here.
If I go to the dashboard and select "Today" as a time reference, URI visits for example shows this:
search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri
Previewing for "access_c*" returns results, none of the other filters do but then again I specifically selected them so I wouldn't filter out any intranet traffic. I can tune them so they match all but that's not what I want to do.
Thanks. I sort of cheated as we're 10.*/8 and such, but leaving them blank would be preferred. Really though, I'd just as soon have valid data coming from this app and right now I don't.
If you hover your mouse next to "No results found", Splunk should present a "More Info..." link. What is the search that you see in the resultant search profiler popup?
Similarly, what happens on the setup page when you click on the "Preview" links?