Re: Splunk App for Web Analytics: Why am I getting... - Page 2

cbader · ‎11-17-2015

All of the configs appear to be correct. When looking at the search for the Data Model Audit, it is returning the following:

[subsearch]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SplunkAppForWebAnalytics/admin/summarization/tstats:DM_SplunkAppForWebAnalytics_Web?count=0 from server=https://127.0.0.1:8089

I tried to access this URI on the server where Splunk is installed and I get the following result:

<response>
   <messages>
      <msg type="ERROR">
         Application does not exist:SplunkAppforWebAnalytics
     </msg>
  </messages>
</response>

Not sure what I am missing? Any help would be appreciated. Thanks

bfsplunkdl · ‎02-19-2016

I'm having the same/similar issues. 6.3.2 running v1.6 of the app.
tag=web returns results
there is no "file" eventtype
there IS a pageview eventtype

generate lookups returns no results

audit data model also returns the same URI REST Endpoint error as above

I do have file entries in the raw log data (ex: button.jpg, search.aspx on the URL's), yet there is still no "file" eventtype

dashboards all return "no results found"

my index is non-default. my index IS listed in the user permissions (ROLES) section for my user and the app - I even manually added index=myindex to the eventtypes to force it

also, eventtype=pageview failed because it was looking for "status=200". Initially, my status codes were returning only "2" and "0" (yesterday). Today (this morning) I now see normal http codes 200, 404, 401, etc. HOWEVER they are extracted as "sc_status" and NOT "status".

I then modified the pageview syntax as such:
from "status=200" to "(status=200 OR sc_status=200)"

I also find it odd that "eventtype" lists 100% for each event, on every eventtype.

Also, in Event Types, the first item listed contains a field that I don't have anywhere else:
web-traffic-external eventtype=web-traffic NOT eventtype=web-agent-nonpublic

Specifically, I do not see "web-agent-nonpublic" defined anywhere in my app.

I'm optimistic that we're close, but I seem to be broken at some very early step (no "files" eventtype, lookups return nothing, etc).

Any help?

bfsplunkdl · ‎02-19-2016

I now also see a bit more deeply into the inner workings of the app.

THe FieldAliases are there for the issues like status and sc_status, but without my adding that manually into the eventtype, status=200 always returned no results.

Also the props-extract for iis : EXTRACT-file is not working at all, it's not pulling out "file" from any events.

Not sure where to go from here.

PS: my user is a splunk admin (and power user, and others - I have full access).

I'm going to disable, delete the app, and reinstall again as the splunk admin just to see if behavior is any different.

I'd love to get this working and help others so any info you need from me just ask and I'll try to provide.

cbader · ‎11-20-2015

I see that we have a field titled "tag::eventtype". However, it appears that the value of this field is "web"

I don't see event type anywhere else in the results.

jbjerke_splunk · ‎11-20-2015

Can you check that you have the eventtype=pageview present in your data when searching for tag=web?

This is used in the lookups as a filter.

cbader · ‎11-24-2015

I do not see it anywhere in the results returned when performing the tag=web query.

cbader · ‎11-20-2015

The tag=web does return results and from what I can see the "site" field is populated with one of the two domains that are tied to the web logs that are being indexed. At least it shows up in the results as site="swc.nd.gov" or site="swc.state.nd.us", which is correct. I have pushed all of these into the "main" index so I am assuming that they are accessible particularly since the tag=web does return results.

When running the Setup->Lookups, neither returns any results and when looking at the Real-Time screen I get no results returned either. I did not do anything special for the "site" field is that something that needs to be defined for the searches to return results properly?

jbjerke_splunk · ‎11-20-2015

Hi cbhader

Don't worry so much about the Data Model audit page. It just reports of the data model has been built or not. You can see much of the same things under Settings->Data models

If you can't get any data for the lookup searches that is a bigger problem.

Have you gone through steps in the troubleshooting section of the documentation?

In the context of the app, try and do the search for:

tag=web

If this is not returning any results I suspect you are not seeing the data because it is stored in a non-default index and the user in Splunk does not search in non-default indexes automatically. Another issue might be that you are not using any of the pre-configured sourcetypes. See Setup point 1 above.

If this is returning results, double check that each entry has the "site" field populated. It's crucial that this field exists in your data. See Setup point 2 above.

j

cbader · ‎11-19-2015

I have re-installed the Web Analytics app and I am not making any progress. I am getting the same error when I try to look at the data model that I initially reported. When I try to run the Setup Lookups to generate the User Sessions or Pages, it does not return any results. I am new to Splunk and not sure where to look from here.

cbader · ‎11-17-2015

I am currently running version 1.6.

The splunk_server=local is already defined in the search

| rest /servicesNS/-/-/data/models splunk_server=local search="acceleration=* . . . . .

or is there someplace else that I should be placing it??

Splunk App for Web Analytics: Why am I getting error "[subsearch]: Failed to fetch REST endpoint uri=..."?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!