Hi,
When I look at the Threat Dashboard, I can see data populating from the index=pan_logs. When I attempt to drill down or display any other dashboard, I get no results found on all panels. I am running Splunk 6.1 on Linux and version 4.1.3 of the Palo Alto App.
Using default macros.conf
My inputs.conf
[udp://5515]
connection_host = dns
index = pan_logs
source = pan_syslog
sourcetype = pan_log
no_appending_timestamp = true
Hitting inspect in any of the empty panels returns:
"This search has completed and found 6,842 matching events. However, the transforming commands in the highlighted portion of the following search:
| tstats summariesonly=t values(sourcetype) as sourcetype values(log.threat_name) as threat_name sum(log.bytes) as bytes sum(log.elapsed_time) as duration FROM datamodel="pan_logs" WHERE (nodename="log.traffic" OR (nodename="log.threat" )) GROUPBY log.session_id log.user log.server_ip log.application log.server_location | rename log.session_id AS session_id log.user AS user log.server_ip AS server_ip log.application AS application log.server_location AS server_location | search sourcetype="pan_threat" bytes!="" server_location!="" user!="" | eval KB=bytes/1024
over the time range:
11/4/14 8:49:00.000 AM – 11/4/14 9:49:55.000 AM
generated no results. Possible solutions are to:
check the syntax of the commands
verify that the fields expected by the report commands are present in the events"
And here is the XML of the dashboard
Threat Details
<input type="time" searchWhenChanged="true">
<default>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<input type="text" token="threat_name">
<label>Threat</label>
<default/>
<prefix>log.threat_name="</prefix>
<suffix>"</suffix>
</input>
<input type="text" token="user">
<label>User</label>
<default/>
<prefix>log.user="</prefix>
<suffix>"</suffix>
</input>
<input type="text" token="app">
<label>Application</label>
<default/>
<prefix>log.app="</prefix>
<suffix>"</suffix>
</input>
<input type="text" token="location">
<label>Location</label>
<default/>
<prefix>log.server_location="</prefix>
<suffix>"</suffix>
</input>
| tstats
values(sourcetype) as sourcetype values(log.threat_name) as threat_name sum(log.bytes) as bytes sum(log.elapsed_time) as duration
FROM datamodel="pan_logs" WHERE (nodename="log.traffic" OR (nodename="log.threat" $threat_name$)) $user$ $app$ $location$
groupby(log.session_id log.user log.server_ip log.application log.server_location)
| search sourcetype="pan_threat" bytes!="" server_location!="" user!="" | eval KB=bytes/1024
$earliest$
$latest$
<chart>
<title>Locations by Kilobytes</title>
<searchPostProcess>stats sum(KB) as "Total Bytes (KB)" by server_location
| rename server_location AS "Server Location" | sort -"Total Bytes (KB)"</searchPostProcess>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.placement">bottom</option>
<option name="wrap">true</option>
<option name="displayRowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
<drilldown>
<link>
<![CDATA[
/app/SplunkforPaloAltoNetworks/threat_detail?form.location=$click.value$
]]>
</link>
</drilldown>
</chart>
<chart>
<title>Users by Kilobytes</title>
<searchPostProcess>| stats sum(KB) as "Transferred (KB)" by user | sort -"Transferred (KB)"</searchPostProcess>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<drilldown>
<link>
<![CDATA[
/app/SplunkforPaloAltoNetworks/threat_detail?form.$click.name$=$click.value$
]]>
</link>
</drilldown>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
</chart>
<table>
<title>Bytes Transferred Duration by Users</title>
<searchPostProcess>stats sum(KB) as "Transfer (KB)" sum(duration) as "Total Duration" by user application server_location</searchPostProcess>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="wrap">true</option>
<option name="displayRowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
<option name="rowNumbers">true</option>
</table>
<table>
<title>Threats by Bytes Transferred and Sessions</title>
<searchPostProcess>stats sum(KB) as "Transfer (KB)" count(session_id) as "Total Sessions" by threat_name</searchPostProcess>
<earliestTime>$earliest$</earliestTime>
<latestTime>$latest$</latestTime>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="wrap">true</option>
<option name="displayRowNumbers">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
<drilldown>
<link>
<![CDATA[
/app/SplunkforPaloAltoNetworks/threat_detail?form.threat_name=$click.value$
]]>
</link>
</drilldown>
<option name="rowNumbers">true</option>
</table>
Thanks!
Jon
Hi Jon,
The threat details dashboard relies on a combination of threat and traffic logs. Ensure you're sending traffic logs to Splunk by enabling 'start' and/or 'end' logs in the same security rule where the threat profiles are applied. You can verify you're receiving traffic logs in Splunk by using the macro:
`pan_traffic`
-Brian
Thanks Brian. I found out currently we are not ingesting the traffic logs and that we currently don't have the index space to do so. Will let you know if/when I get the chance to try this.
Jon
I am also facing the same issue.When I give ~pan_traffic~ datas are populating.I have checked in search bar about the different threat types-I see-url,virus,vulnerability.But when in the Traffic dashboard it is showing empty.
Also I can see threat dashboards fully populated and the other dashboards doesn't have datas in it.
Based on the Q&A in splunk,I have searched whether data acceleration is enabled and whether ~pan_traffic~ is showing events.In both the cases for me it is working.
Could anyone tell me what could be the issue.I am using palo alto app 5.0.1 |