Splunk Search

Why is everything "No results found" in Web Intelligence Beta?

mikeely
Path Finder

Am trying to index web logs from an intranet site, so I did the setup for Web Intelligence as follows:
sourcetype="access_c*"

Filters: I had a hard time making these blank. Since this is an intranet site I don't want to filter out internal addresses or referring domains, so I sort of cheated, entered "192.168.1.1/32" as the IP filter, "*.example.com" as referring domain, etc. and excluded "/dev" from files.

Next, I ran the backfill script and after a couple of days it was complete as well. I did the sourcetype search and edited the CSV file.

I can see that the data was indexed, that the access_c* filter worked, but no matter where I go in the Web Intelligence app, I get "No results found."

What can I check here?

eashwar
Communicator

change the time range to All time

in beta by default the results shown are past 24 hours.

0 Karma

pde7
Explorer

Check your Apache logging format. The jobs running behind the tables require the "combined" format. You may be in "common" format.

The jobs are using search filters based on referrer or client UI. This causes an empty result set if your logs are in "common" format.

A simple way to test this is to try comparing the following searches in the web intelligence search window: "eventtype=pageview eventtype=ua-browser-*" vs. "eventtype=pageview". If you have no results on the first one but plenty of results for the second one, then the jobs I'm talking about are likely failing with no results.

Akili
Path Finder

index=wi_summary_hourly
these are indexes thus you should use the correct indexes.
i have changed the above indexes i do get some results. however i have not been able to similarly put the date in different indexes based on time range which seems to be the case here.

0 Karma

mikeely
Path Finder

If I go to the dashboard and select "Today" as a time reference, URI visits for example shows this:

search host=* [ stats count | addinfo | eval range=info_max_time - info_min_time | eval search=if(range<=3605, "index=wi_summary_fivemin", if(range<=(86400+3600),"index=wi_summary_hourly","index=wi_summary_daily")) ] source="Pageview*" sourcename="*" | top uri

Previewing for "access_c*" returns results, none of the other filters do but then again I specifically selected them so I wouldn't filter out any intranet traffic. I can tune them so they match all but that's not what I want to do.

0 Karma

araitz
Splunk Employee
Splunk Employee

See my follow-up question below.

0 Karma

mikeely
Path Finder

Thanks. I sort of cheated as we're 10.*/8 and such, but leaving them blank would be preferred. Really though, I'd just as soon have valid data coming from this app and right now I don't.

0 Karma

araitz
Splunk Employee
Splunk Employee

If you hover your mouse next to "No results found", Splunk should present a "More Info..." link. What is the search that you see in the resultant search profiler popup?

Similarly, what happens on the setup page when you click on the "Preview" links?

0 Karma

araitz
Splunk Employee
Splunk Employee

You make a good point regarding the need for an option to "leave blank" one or more of the setup items.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!