All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Web Analytics: Why are sites are not populating?

hatbeard
Explorer
‎10-20-2015 01:18 PM

I set up what would be about 170 site-source entries with wildcard log locations. It looks like it's going to be a truly monstrous amount of logs.

Previously when I was previewing it, I set up for 2 domain names, with about 8 website source entries.

The data model is building, so I went into real-time to see what I can see, and I only see things for the 2 domains I had set up previously. Is this something it will sort out on its own after a long long processing time, or is there something else I might have done wrong?

I think some of the issue comes that i have a site field that's getting auto-extracted out of the logs, when i view

tag=web site=* |dedup site | table site

I get all kinds of results, not just what i put in the settings file?

[EDIT]
My host entry was not case sanitized. V does not equal v.

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎10-23-2015 07:16 AM

Hi hatbeard

Can you try and add this to the realtime dashbord? It will limit the search to just the sites in the config

eventtype=pageview site="*" [| inputlookup WA_settings | rename value as site | fields site]

j

0 Karma
Reply

hatbeard
Explorer
‎10-23-2015 08:55 AM

Did not do much.

Even when i run it as

eventtype=pageview site="*" [| inputlookup WA_settings | rename value as site | fields site] | dedup site |table site
it shows just the first two that i setup previously, despite there being 168 entries in the csv file. It shows them in the drop down search window, that works fine though.

Strangely though, when i do a search on just |inputlookup WA_settings, i get all of the contents of the file

0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎10-22-2015 11:43 PM

Hi hatbeard

The real-time dashboard uses this base search to produce the output:

eventtype=pageview site="*"

It should show you all data that matches that search and not limited to just the sites you have configured under website setup. the only caveat is that each event needs to have the site field present and filled out. For some web log configurations this field is already part of the log file (as you mentioned) and will be present event though you haven't configured it.

Let me know you get along

j

0 Karma
Reply

hatbeard
Explorer
‎10-23-2015 06:39 AM

Yeah, it seems that its taking and auto-extracting the site field. in a lot of the uri stems in our logs there's going to be a site=foo. is there a way to tell splunk to bug off on that, or change the app to use a different variable?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...